What's new

Find out what's new in these releases of the Samsung Knox:

Knox SDK 3.9 (Knox API level 36)

November 2022

The Knox 3.9 platform introduces these new features:

Introducing unified work profiles

Previously, there were two types of work profiles supported on Samsung Knox devices — work profile, and work profile (Premium). Available features in these 2 types of work profiles depended on whether a Knox Platform for Enterprise (KPE) premium license was activated. However, KPE is now a free product as of July 2021, and all the premium features of KPE and work profile (Premium) are supported free of charge.

Starting from Android 13 OS, work profile and work profile (Premium) are combined to have a unified work profile, which offers all the premium and basic features in one place. A KPE premium license activation is still required in order to use the KPE premium features or the APIs in the unified work profile. To learn about these new changes, see Work profile unification.

API enhancements

Force device auto start-up when power is supplied

The setForceAutoStartUpState API now supports devices with MediaTec and UniSOC chipsets from Knox 3.9 onwards in additon to the Qualcomm and LSI chipsets which were supported earlier.

Access Smart View during kiosk mode

As the Quick panel is hidden in the kiosk mode, Samsung Smart View wasn't accessible to the end user. Now with the new startSmartView API, you can force start the Samsung Smart View.

API deprecation

As part of Samsung's ongoing efforts to streamline our services with the market, we deprecate certain APIs from time to time. Deprecated APIs in Knox 3.9 will work normally for Android 13. Additionally, we continue to provide technical support for deprecated APIs upto one year after the deprecation. The APIs continue to be available in the second year after deprecation but satisfactory operation is not guaranteed. We recommend to replace newly deprecated APIs before they are removed permanently. Please see API deprecation journey for details. See the list of deprecated APIs for a list of APIs deleted in this and past releases.

DSC enhancement: Change device name remotely

With the Knox Service Plugin's Deep Settings Customization (DSC), you can change the name of a device remotely using your MDM console. This might come in handy when, for example, you want the device name to be the same as its bluetooth connection name.

IMPORTANT — This feature is only available using the Knox Service Plugin (KSP) in a future release. Third-party apps cannot use DSC directly.

Knox SDK 3.8 (Knox API level 35)

November 2021

The Knox 3.8 platform introduces these new features:

  1. Additional Advanced Access Control enhancements
  2. Peripheral SDK for Knox 3.8
  3. API enhancements
  4. Deep Settings Customization enhancements
  5. Enhanced Attestation V4 improvements
  6. Knox SDK for ISV device APIs
  7. Optimize SUW for AER for managed devices
  8. Separated Apps v2
  9. TIMA/CCM keystore deletion
  10. VPN platform enhancements - Auto Recreation of profile
  11. Android 12 OS changes

As with past releases, new features are offered through either the:

  • Knox Service Plugin (KSP), which provides new features on the day of release to IT admins using UEM solutions supporting KSP, or
  • Knox SDK, to provide more powerful programmatic and integrated control to developers creating app solutions
  • Knox platform, which is factory-installed on Samsung Knox devices

Read on to find out more about how you can benefit from the new features.

Additional Advanced Access Control enhancements

For device users who need security features over and above the standard features of Knox enterprise, this release provides additional Advanced Access Control (AAC) enhancements. These enhancements add additional KPE features and use Continuous Multi-Factor Authentication (CMFA) to automatically log users in to their phone and applications without needing their credentials at each log in.

The framework uses the following factors to test the device's trust score:

  • Face recognition factor that authenticates the user with facial recognition using the front facing camera.
  • Device integrity factor that calls the keystore attestation API to obtain integrity information from ICCC TA.
  • Touch Dynamics factor that uses commonly used keystroke pattern data to verify that the current user is authorized user of the device and the work profile.

This release focuses on adding the previously mentioned touch dynamics factor. This factor analyzes the digital signatures generated when a human interacts with a device, commonly known as keystroke or typing patterns, to verify that the user typing on the device is the authorized primary user of the device. In cases where the user is determined not to be the primary, authorized user, the Work profile on the device is locked and access to sensitive data is immediately revoked.

For more information on AAC, see Additional Advanced Access Control enhancements.

Peripheral SDK for Knox 3.8

This release provides the partners a new SDK to develop applications for peripheral devices such as barcode scanners. Currently, the SDK supports KOAMTAK USB scanner and BT scanner.

To support the BT scanner, following APIs are provided:


PeripheralDataListener Used by privileged application to get peripheral data
PeripheralInfoListener Used by privileged application to get peripheral information
PeripheralResultListener Used by privileged application to get result from PeripheralManager functions
PeripheralStateListener Used by privileged application to get state change event from peripheral service


PeripheralBarcodeConstants This class defines Barcode constants
PeripheralBarcodeConstants.Option This class defines Barcode options
PeripheralBarcodeConstants.Symbology This class defines Barcode symbology
PeripheralBarcodeConstants.Symbology.Type This class defines Barcode symbology type
PeripheralConstants This class defines Peripheral constants
PeripheralConstants.BarcodeDataProcessMode This class defines Barcode Data Process Mode.
PeripheralConstants.BatteryStatus This class defines battery status.
PeripheralConstants.BeepSoundEffect This class defines options for making beep sound.
PeripheralConstants.BtConstants This class defines Bluetooth constants
PeripheralConstants.BtPeripheralListOption This class defines options for Bluetooth Peripheral list.
PeripheralConstants.ConnectionProfile This class defines connection profile.
PeripheralConstants.ConnectionState This class defines connection state.
PeripheralConstants.ConnectivityType This class defines connectivity type.
PeripheralConstants.DataClearOption This class defines data clear option.
PeripheralConstants.DataResetOption This class defines data reset option.
PeripheralConstants.DataSyncOption This class defines data sync option.
PeripheralConstants.DataType This class defines data type.
PeripheralConstants.DeviceType This class defines device type.
PeripheralConstants.DisplayText This class defines options for displaying text
PeripheralConstants.ErrorCode This class defines Peripheral ErrorCode.
PeripheralConstants.EventType This class defines event type.
PeripheralConstants.FirmwareUpdateStatus This class defines firmware update status.
PeripheralConstants.NfcTagType This class defines NFC Tag type.
PeripheralConstants.PeripheralInfo This class defines Peripheral information field.
PeripheralConstants.PeripheralState This class defines Peripheral state.
PeripheralConstants.Result This class defines Peripheral result.
PeripheralConstants.UHFDataType This class defines UHF Data Type.
PeripheralConstants.VendorKoamtac This class defines koamtac data.
PeripheralConstants.VendorKoamtac.FirmwareType This class defines koamtac firmware type.
PeripheralConstants.VibrationEffect This class defines options to make vibration.
PeripheralManager Public interface to manage peripheral service

API enhancements

This release includes the several API enhancements and bug fixes, as well as adds support for additional Knox services. These enhancements are as follows:

  • Increase in the security of Wi-Fi protocols — IT admins can now set the Wi-Fi security level as WPA3 type using the Knox setMinimumRequiredSecurity() API. setWifiProfile and setWifiApSetting also support the WPA3 type. Knox will support only SECURITY_TYPE_SAE (WPA3 Personal) spec. There are other WPA3 specs but Knox v3.8 supports WPA3 personal only. Once the IT admin selects WPA3 as the Wi-Fi security type, access is denied for any APIs that support another security type and the device can only connect to WPA3 Wi-Fi type. The IT admin can use getMinimumRequiredSecurity() to check if this policy is applied. Once set, this security type persists even upon device reboot.

Deep Settings Customization enhancements

IMPORTANT — This feature is made available using Knox Service Plugin (KSP). Third-party apps cannot use Deep Settings Customization (DSC) directly.

The Deep Settings Customization (DSC) enhancements made with this release close some UI vulnerabilities of device security controls as follows:

  • Block gesture options in Kiosk mode — In some use cases, in spite of IT admins blocking the Home key in Kiosk mode, device users could use the Gesture event to exit the Kiosk mode and potentially access sensitive data. With this release, IT admins can enable Kiosk mode as well as disable the Gesture option in Advanced features. The IT admin can now restrict the device user from using the following gestures to exit the Kiosk mode:
    • Short press the Home button.
    • Swipe down from the center of the bottom edge of the screen.
  • Support additional sound settings — IT admin can now use KSP to configure the sound options that were previously set using the following APIs:
  • Disable third-party content menu setting — The in-built Samsung keyboard allowed device users to select the Third-party content menu item on the Samsung keyboard to bypass restrictions on using the Internet on their devices. This release allows IT admins to disable the use of this menu from the Settings > Language and input > On-screen keyboard > Default keyboard > Samsung Keyboard settings > Third-party content option.
    IMPORTANT — If the third-party app is already installed on the device, blocking this option does not disable the current keyboard deep settings. Users can still continue to access the Internet from this option.
  • Disable Wi-Fi proxy settings menu — IT admins can now disable the use of the Wi-Fi proxy settings menu to ensure that a blacklisted domain is never accessible once the blacklisting policy is set.
  • Restrict sharing of Wi-Fi profiles using QR codes — IT admins can now use KSP to restrict users from sharing Wi-Fi profiles, including login credentials and passwords, with other devices using QR codes.
  • Change password settings — IT admins can now use KSP to hide or disable screen lock type menu item. IT admins can also set the screen lock type to None.
  • Hide virtual keyboard when an external keyboard is connected — With this release, IT admins can now hide the virtual keyboard that shows up on the device’s screen even when an external keyboard or input device (such as a scanner) is connected to the device.

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities.

Enhanced Attestation V4 improvements

These enhanced attestation (EA) V4 improvements allow the EA server to communicate directly with the device running Knox Works. The changes are as follows:

Knox SDK for ISV device APIs

Knox 3.7.1 introduced support for Independent Software Vendors (ISVs) in response to Google's DA deprecation as well as to make a foray into the Frontline market at the same time. The Knox SDK focuses on managed devices and horizontal solutions, and did not traditionally suit ISVs interested in a few vertical dedicated APIs. KPE now supports these ISVs by providing Frontline targeted features. Knox SDK for ISV phase 1 APIs included KPE features that cover only a few requirements from the Frontline market. Knox SDK for ISV phase 2 APIs, introduced with this Knox 3.8 release includes new APIs geared towards adding support for ISVs rather than for the traditional MDM vendors. This release includes the following additional feature for on device configuration and device management functionality:

  • Customize hardware actions — This new feature focuses on ISV apps running on unmanaged devices. The new feature installs a third-party (ISV) app on unmanaged devices. The API further remaps the XCover keys to perform a different operation from the one specified by the default settings. The remapping can take the form of mapping the keys to open the third-party app instead. The third-party app can then set an action to start a device broadcast whenever the XCover key is pressed.
    NOTE — The third-party app cannot restrict users from manually changing XCover key settings back to their preferred action.

Optimize SUW for AER for managed devices

Currently, the setup wizard (SUW) for Android Enterprise Recommended (AER) devices includes options that allow device users to consent to collection of marketing and other data. The collection of these items is not recommended or appropriate for managed devices. To close this gap, the SUW should be changed to disallow data collection. To implement this change, the SUW now includes options that allow the user to consent to data collection, but in case of managed devices, data collection is automatically disabled for the device.

NOTE — Device users can further modify these options from the Device Settings > Privacy menu.

For more information on this feature, see Optimized Setup Wizard for AER (Android Enterprise Recommended).

Separated Apps v2

This release adds additional functionality to the features available with Separated Apps V1. Separated Apps V2 features include items that were either not released with V1 or identified as needing enhancements after V1 was released. V2 includes the following features:

  • Improve the Separated Apps user experience — The Separated Apps user experience sees the improvements allowing device users to:
    • Change folder names and color for Separated Apps
    • Select multiple Separated Apps for uninstallation
    • Long-press the Separated Apps app icon to bring up a quick option menu, similar to other apps
  • Allow use of biometric methods for Separated Apps — For devices where biometric authentication methods are set up in User0 or for other apps, Separated Apps can now use these registered biometric methods as well.
    NOTE — Currently, biometric settings for Separated Apps are also controlled by the common Device Settings menu.
  • Set remote control and screen capture behavior — IT admins can now control the remote control and screen capture features not only for User0 but also for Separated Apps. Depending upon whether the screen capture and remote control features are activated from within User0 or Separated Apps, the resulting image or media is stored in User0 or Separated Apps storage space.

TIMA/CCM keystore deletion

TIMA/CCM keystores are planned for deprecation with this release. The following default Samsung keystores will replace Knox keystores for B2B use cases:

  • TIMA keystore
  • CCM keystore
  • CEPConstants (deprecated at v3.8)

For detailed information on the deprecation, see Deprecation of TIMA/CCM Keystore support.

VPN platform enhancements - Auto Recreation of profile

This release includes VPN enhancements to improve the security of managed devices. For managed devices, the VPN framework tries to recreate the VPN profile configuration and reconnect the VPN connection automatically for any VPN clients installed on managed devices. This automatic reconnection happens in the following two cases:

  • A device user clears data intentionally or accidentally
  • There is an issue with the VPN client during the create connection process, and the database saving process is not complete, such as during device reboot or VPN client restart

This automatic reconnection feature ensures there is no data leakage for apps that are configured to connect using the VPN profile. In cases where the reconnection effort fails, the VPN framework notifies the EMM client, allowing it to apply security policies such as locking the Work container or the entire device, as well as apply firewall rules and recreate VPN policies.

To read more about this feature, see VPN Platform Enhancement.

Android Android 12 OS changes

Knox 3.8 is based on the Android 12 OS. The following changes are included in this release:

  • Password policy modifications — This release improves the password complexity feature to reduce the risk of users forgetting their passwords and needing to factory reset their devices to reset the password. This feature sets device-wide password requirements in the form of predefined complexity buckets, such as High, Medium, Low, and None. If necessary, IT admins can then set stricter password requirements on the work profile’s security challenge.
  • Sensor permission restrictions — The ApplicationPolicy.applyRuntimePermissions API is now removed from use. As a result, IT admins can no longer silently grant the permissions to use the following sensors:
    • Camera (CAMERA)
    • Microphone (RECORD_AUDIO)
    • Body sensor (BODY_SENSORS)
    • Physical activity (ACTIVITY_RECOGNITION)
  • Network logging delegation — IT admins were previously able to set and retrieve work profile network logging. With this release, IT admins can now delegate network logging on the work profile to another work application.
    NOTE — IT admins cannot use network logging to monitor traffic in the personal profile.
  • Managed device control enhancements — The following new features are available for company-owned devices:
    • An IT administrator can disable USB, except for charging functions, on company-owned devices. This feature includes the capability to check if this feature is supported on the device and if it is currently enabled.
    • Company-owned devices with a work profile can limit the input methods used in the personal profile to allow only system input methods.

Knox SDK 3.7.1 (Knox API level 34)

March 2021

The Knox 3.7.1 platform introduces new features to provide broad support for operational technology teams in industrial sectors. New features include:

  • Device Management for Independent Software Vendors (ISVs), who no longer need Device Admin (DA) permission to configure devices
  • Peripheral Management for devices such as barcode readers, which can be integrated with a smartphone via USB or wirelessly
  • Machine Learning Model Protection, to encrypt ML data on the device and control access to the data

As with past releases, new Knox features are offered through one of the following:

  • Knox Service Plugin (KSP), which provides new features on the day of release to IT admins using UEM solutions; for the latest features offered through KSP, browse the Release Notes
  • Knox SDK, to provide more powerful programmatic and integrated control to developers creating app solutions
  • Knox platform, which is factory-installed on Samsung Knox devices

Read on to find out more about the new features.

Independent Software Vendor APIs

With this release, there are new APIs geared more for Independent Software Vendors than for the traditional Mobile Device Management (MDM) vendors.

To use these ISV APIs, an app does not need the following:

  • Device Admin permission. MDM apps need the permission android.permission.BIND_DEVICE_ADMIN for more powerful system-level control over a device, which device users can opt not to grant. Google has deprecated the Device Admin (DA) mode of device management. Although apps can continue to use the permission, Google no longer recommends it. An ISV app needs only the permissions for features it uses. For details, see ISV Permissions and Declare Knox permissions.
  • Knox license. Corporate managed devices don't need to activate a Knox license to use the new ISV APIs. More specifically, license activation is not needed for the Device Owner (DO) or Profile Owner (PO) on a company-owned device. License activation is still needed for BYOD deployments. For more about these deployments, see Device management modes.
  • Network connection. Since ISV apps on corporate devices no longer need a license, there's no need to validate the license with a cloud-based or on-prem license server, making ISV apps suitable for offline deployments.

The new Knox 3.7.1 features, which use this ISV model, have API packages in the .knox.ex (extension) namespace:

For information about existing ISV features that do still need Device Admin permission, see Independent Software Vendors (DA).

Device Management for ISVs

You can now configure mobile devices without needing DA permission. This release introduces new ISV APIs to ease the setup of the following device features:

  • Device: Force device to boot up when power is applied, set the screen timeout, control screen auto-rotation, set the audio volume.
  • Settings: Enable touch sensitivity, map a hardware key to an app, set screen brightness, set the default language, set the input method, turn power saving on and off.
  • Networks: Turn on or off Wi-Fi or NFC; connect with a Wi-Fi access point.
  • Apps: Grant app permission to access USB device, add app for battery optimization, remove a digital assistant app.
  • Date and time: Set the device date and time manually; enable automatic time setting; select 12 or 24 hour time format.
  • Font: Get the supported font sizes, set the font size.

For details about using these APIs, see the Overview, Tutorial, and sample app.

Peripheral Management

In addition to managing mobile devices, you can use the Knox SDK to manage peripherals that are connected to or integrated with devices. Specifically, you can remotely and centrally automate the setup, monitoring, diagnostics, and control of peripherals in distributed locations. Through peripherals such as barcode readers, you can also collect business and operational data for wide-ranging applications in sectors such as manufacturing, inventory, transportation, and retail.

With the Knox SDK, you can fully configure and manage both mobile devices and connected peripherals at the same time, easing development, testing, deployment, and later updates. The available peripheral features depends on the peripheral, but can include the following:

  • Get available peripherals, peripheral info, connection profile, configuration.
  • Configure connection profile, peripheral.
  • Register listeners for barcode data, plugin info, peripheral info, peripheral state.
  • Enable, disable, start, stop peripheral.
  • Get stored data, clear memory.

Peripheral info can include the following:

  • Peripheral: Type, manufacturer, model, name, serial number.
  • Peripheral status: State, battery level, usage count, firmware update status.
  • Vendor plugin: Vendor, name, package name, service name, version.
  • Barcode: Type (1D, 2D), symbology (UPC, Code 39, EAN, and so on), options (start/stop characters, check digits, concatenation, and so on), process mode (store, wedge).
  • Barcode options: Clear (first, last, all), reset (all data, system time), sync (system time).
  • Connection: Type (Bluetooth, USB, internal), profile, state.
  • Error types: Framework, peripheral, plugin errors.

For details, see Peripherals Overview, How it works, Tutorial, and sample app.

Machine Learning Model Protection

Knox offers a Neural Model Encryption feature for customers to easily deploy their AI/ML Models on the mobile device while leveraging Samsung Knox's defense grade security. This feature ensures that plain ML model is never stored on the device. The processing for an encrypted model is separate to that of an unencrypted model, and this separation provides model isolation for customers of Knox for Model Protection.

Along with the encryption of ML files, Knox for Model Protection provides access control over the application packages that can load the encrypted model. For details, see Machine Learning/Neural Model encryption, APIs, and Deployment.

Knox SDK 3.7 (Knox API level 33)

September 2020 — Early Access Test

The Knox 3.7 platform introduces these new features:

  • Work profile on company-owned devices
  • Device owner with app separation
  • Lock screen enhancements
  • Deep Settings customization
  • Bug fixes and feature enhancements

As with past releases, new features are offered through either the:

  • Knox Service Plugin (KSP), which provides new features on the day of release to IT admins using UEM solutions supporting KSP, or
  • Knox SDK, to provide more powerful programmatic and integrated control to developers creating app solutions
  • Knox platform, which is factory-installed on Samsung Knox devices

Read on to find out more about how you can benefit from the new features.

Work profile on company-owned devices

Google's Android 11 release:

To migrate to the new work profile on company-owned devices, see:

  • Work profile on company-owned devices: Describes what's changing and how existing fully managed devices with work profiles will migrate during an Android 11 upgrade.
  • Prepare Knox for Android 11: Describes what happens with KSP, VPNs, NPA, firewalls, global proxies, Samsung Email, SDP, Audit Logs, DualDAR, UCM, and E-FOTA with an upgrade to Android 11, and what to do to migrate successfully. Also describes
  • Knox APIs in the personal profile: Lists the Knox APIs that can still be called on the personal profile of a company-owned device running Android 11.

For personal profile management, the profile owner of a work profile on company-owned devices must first create a parent instance before calling a Knox policy. Use either of the following new API methods:

To call the new API methods:

EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
ApplicationPolicy obj = edm.getApplicationPolicy();
// Call Knox policy for parent

EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
AdvancedRestrictionPolicy obj =  ekm.getAdvancedRestrictionPolicy();
// Call Knox policy for parent         


Device owner with app separation

There are some limitations with the new work profile on company-owned devices. For example, customers might want:

  • Password reset on the device
  • Mobile Threat Defense solution in user0
  • General visibility and control of DNS filtering, APN, and so on

Enterprises can migrate to a new Samsung-exclusive mode: device owner with app separation. In this mode, the enterprise continues to have full visibility and control over their company-owned devices with work apps separated through a lightweight container.

Set up this new mode through the Knox Service Plugin (release at end of September).

Lock screen enhancements

This release offers several customer-requested enhancements to the lock screen:

Feature Issue Enhancement
Admin lock on Knox license expiry When a license is expires, the device or the profile is immediately admin locked from a security and management point of view.

The users can use the existing device or profile under the policies.

Admin lock on maximum failed passwords The device is admin locked when a user fails 5 times (assuming the maximum failed password count is 5). The profile (PO) will be admin locked or wiped instead of device locked when user fails 5 times.
Face unlock for work profile Lack of face unlock to open a work profile. Face authentication allowed for profile owner. There will be a new API to enable or disable this feature.
Advanced access control for work profile When a work profile is unlocked, unauthorized people can easily access the data inside the profile at any time. When a non-registered user (who is not the owner) is detected, the profile is locked automatically base on face authentication. There will be a new API to enable or disable this feature.

Deep Settings customization

This release expands the list of deep settings introduced with Knox 3.4, delivering options to configure the following Settings options through the Knox Service Plugin.

Setting Description
Hardware key remapping

Ruggedized devices such as the XCover Pro expand their key remapping capabilities, supporting:

  • Keys: Xcover, Top, Side, Hook(ear-set) key
  • Events: short, long press, and double press
  • Actions: App launch, Activity launch
Side Key setting The new Side key, which combines the Power and Bixby keys, can now be enabled or disabled in the Settings.
APN change disabling APN can now be disabled or grayed out in the Settings.
Dual SIM management Devices with dual SIMs can now configure preferred SIM cards for each call, SMS, and data. While the SIM manager is configured through deep settings, the e-sim menu will be disabled automatically.

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities.

Bug fixes and feature enhancements

The release fixes the following customer-reported bugs:

Bug Issue Fix
Ownership transfer for DPM In the case of a profile owner, a work profile is removed when an IT admin tries to transfer ownership using the API DPM.transferOwnership API. Ownership migration is now supported
Filter data traffic for tethering using Firewall Samsung devices provide an enhance Knox firewall, but the policy does not affect tethered devices such as laptops and tablets. The Knox firewall policy now includes tethered devices.
Ultra-wideband control UWB was introduced with the Galaxy Note20 but IT admins could not control it. There will be a new Knox API to enable and disable UWB.


Knox SDK 3.6 (Knox API level 32)

August 2020

The Knox 3.6 platform advances Samsung's commitment to helping you customize and secure mobile devices, by introducing these new features:


  • Hardware key mapping for the Galaxy XCover series to enable the XCover and Top hardware keys to launch specific apps
  • Additional Deep Settings Customization for granular control over the settings users can and cannot access through the Settings app
  • Samsung Dex foreground app intents to enable an app to customize actions based on whether it is in focus during DeX dual mode
  • Quick Panel control over the Daily Board, to prohibit devices from showing potentially sensitive content such as calendar events and photos while charging


  • advanced Knox VPN capabilities for work profiles in Profile Owner mode, for organizations with PO deployments
  • certificate authentication for USB-tethered laptops using the defense-grade Knox mobile VPN network
  • firewall configurations based on network interfaces such as wlan0 or eth0

As with past releases, new features are offered through either the:

  • Knox Service Plugin (KSP), which provides new features on the day of release to IT admins using UEM solutions supporting KSP, or
  • Knox SDK, to provide more powerful programmatic and integrated control to developers creating app solutions
  • Knox platform, which is factory-installed on Samsung Knox devices

Read on to find out more about how you can benefit from the new Knox 3.6 features.

XCover Pro hardware keys

Get the most out of the new ruggedized Samsung XCover devices by customizing the XCover and Top hardware keys.

The latest version of the Knox Service Plugin lets you:

  • Set up short or long key presses to launch selected device apps
  • Disable hardware key options in a device's Android Settings menu

For more information, see the latest KSP release notes or KSP policy schema.

Deep Settings Customization

This release expands the list of deep settings introduced with Knox 3.4, delivering options to configure the following settings through the Knox Service Plugin.

Setting Description Customize through KSP policy group Options
Wi-Fi Direct Allows two devices to establish a direct, peer-to-peer Wi-Fi connection without requiring a wireless router. Device Restrictions Allow / Do not allow
Keyboard language shortcut Allows virtual keyboard shortcuts to change the keyboard language. Configure values in settings menu On / Off / Use specific value / Allow user to modify setting / Hide setting

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities. Coming soon: Deep settings to manage Picture-in-Picture and DeX monitor resolution.

DeX foreground app

Samsung DeX in dual mode increases mobile productivity, letting you use a device while presenting separately on an external display.

You can now check if an app is in the foreground while in dual mode. One use case for this is in a banking scenario, where a banking customer is using a tablet and a bank employee is using the connected monitor to access an internal banking app. An app can now determine if it is currently in focus or not, and customize actions available to the app user.

Use the Knox SDK to check the focus state:

  1. Monitor the focus of an app's package with ApplicationPolicy.addPackagesToFocusMonitoringList().
  2. Inspect the ACTION_APPLICATION_FOCUS_CHANGE intent when a focus change occurs for that package.
  3. Extract the new EXTRA_APPLICATION_FOCUS_DEX_MODE field from the intent. The value is true if the app is in focus.

For more about using the Knox SDK to control DeX features, see Samsung DeX and Knox.

Quick Panel display of Daily Board

Through the Knox SDK, you can control what appears on a device's Quick Panel, which is shown when you swipe down from the top of the screen. With this Knox 3.6 release, you can show or hide the button used to configure the Daily Board, which tablets can use while charging to display the time, weather, calendar events, and photos. For security reasons, you can prevent users from enabling or configuring the Daily Board through the Quick Panel. Use the following API constant:

For more about how to show or hide this button, see SystemManager.setQuickPanelButtons.

Knox VPN in work profiles

The Android VPN Management for Knox app extends the capabilities of the built-in Android VPN client, which provides only basic configuration as seen in the Android Settings app. The Knox app enables many more advanced Knox VPN capabilities on Samsung Knox devices.

Previously, the Android VPN Management for Knox app supported only Device Owner (DO) mode. Knox 3.6 now supports Profile Owner (PO) mode, enabling the same advanced Knox VPN capabilities from within a work profile. When installed inside a work profile, the new Knox app (v3.0.5) accesses an end-user/CA certificate inside the PO keystore to secure data transmission from within the work profile.

To deploy the new Android VPN Management for Knox app in a work profile:

  1. Log in to Knox Partner Portal > Dashboard > Download.
  2. Download the new Android VPN Management for Knox APK.
  3. Configure a UEM profile to push and deploy the APK in a work profile.
NOTE — The new Knox app is backwards compatible with devices running earlier, pre-3.6 versions of Knox.

For more info about the:

Certificate-based authentication for USB-tethered laptops

With Knox 3.5, Samsung Knox devices could extend a VPN tunnel to a laptop connected through USB. This provided laptop users with the ability to access internal enterprise resources using our defense-grade mobile VPN network. In addition to providing convenience when laptops do not have network connectivity, this offers company cost savings by removing the need to buy additional VPN licenses for laptops.

Knox 3.6 enhances this feature with better security and control. In terms of security, there is a new app that enables Samsung Knox devices to verify that a laptop is owned by the device user. When the user connects a laptop to a Samsung Knox device via USB, the app validates the user certificate on the laptop with allowed certificates installed by the IT admin on the device.

To deploy the new app to authenticate connected laptops:

  1. Log in to Knox Partner Portal > Dashboard > Download.
  2. Download the new USB Tethering Authentication for VPN APK.
  3. Configure a UEM profile to push and deploy the APK to devices.
  4. Identify the certificates of laptops allowed to connect via USB to each device for VPN access.
NOTE — The APK provided on the Knox Partner Portal supports only Samsung One UI flagship devices such as the Galaxy S/A/J and Tab S/A. We also have One UI Core devices such as the A21, Tab A7, M51, M31s, and A12. To deploy USB-tethered VPNs on a One UI Core device, please contact us to get another APK that uses a different Samsung platform signing key.

The Knox SDK v3.6 provides the following new API methods and constants to configure USB-tethered VPNs:

For additional information about configuring VPN profiles, see About Knox VPNs.

Firewall based on network types

Samsung Knox already provides granular control over firewalls on Samsung Knox devices. You can allow or prevent devices from sending or receiving data using specific IP addresses, port numbers, port locations, app identities, network interfaces (mobile, Wi-Fi), directions, or protocols.

With Knox 3.6, you can now also configure firewalls based on UNIX network interface names, for example, wlan0, wlan+, eth0, eth+. Use the following API methods:

For more information about defining firewalls, see Firewalls.

Deprecated APIs

This release deprecates the following API methods and constants:

See also the complete list of Deprecated API methods.

Knox SDK 3.5 (Knox API level 31)

February 2020

Samsung Knox 3.5 introduces new settings for granular control over areas like user experience, roaming, and certificate management. Most of these features come with the Samsung Knox Service Plugin (KSP), meaning IT Admins can use them immediately upon release.

For developers, Knox 3.5 also includes an improved embedded Secure Element (eSE) applet for Universal Credential Management.

UCM-eSE applet enhancement

Set up credential storage with improved security on embedded secure elements (eSEs). Samsung’s refined, preloaded eSE applet for Universal Credential Management (UCM) supports the latest cipher and signature algorithms like ECDSA/ECDH, HMAC, and CMAC for modern smart card storage.

Knox SDK 3.4.1 (Knox API level 30)

December 2019

Samsung Knox SDK version 3.4.1 extends our device manageability capabilities, optimizes existing features, and further harmonizes Knox with Android Enterprise.

Remote Support Enhancements

With this release, you can now:

  • enable remote support to work inside a work profile, as this restriction has been removed
  • remotely view and control the Samsung DeX screen
  • use the Knox Service Plugin to enable or disable remote support, using AllowRemoteSupport

For more information, see Remote Support Overview, Remote Control for Work Profile, and Remote Control for DeX.

Find My Mobile Unlock

Previously, a device locked by IT policy could be unlocked by the end user using the Find My Mobile unlock function.

For better security, devices that have password policies such as password quality applied by an IT admin cannot be unlocked through Find My Mobile.

Android Enterprise Harmonization

We are continuing to harmonize our Knox Platform for Enterprise (KPE) with Android Enterprise (AE), with this change in Knox 3.4.1:

  • Workspace name replaced with Work—The KPE Workspace container has been harmonized with the AE Work Profile. Accordingly, on the device UI, the Personal and Workspace tabs have been renamed Personal and Work.

Deprecated features

We have deprecated KPE features that are not being used, according to our extensive analytics. This is to streamline our operations and allow us to focus more on delivering newly requested features and less on maintaining low usage features. If you are using any of these features, which are described below, please review your solutions to see if you can remove or replace the features.

Which low-use features are being deprecated?

  • Samsung Single Sign On (Kerberos) — Samsung SSO enables Samsung devices to authenticate users against an Active Directory (AD) infrastructure using the well-known Integrated Windows Authentication (IWA) with Negotiate (using MIT Kerberos V5). Due to low usage, however, we are deprecating this SSO feature. If you are using Samsung SSO, try exploring other SSO solutions like Azure AD.
  • Knox container unlock using AD — With AD Containers, IT admins can enable corporate AD credentials to unlock the Knox Workspace container on a mobile device. Due to very low usage, this feature is also being deprecated.
  • Knox Shared Device — Knox Shared Device enables several enterprise employees to use the same device, without divulging individual settings, accounts, apps, or policies. Currently, you can enable this feature only through Knox Configure. With Google now offering Managed guest session devices, we are deprecating the Knox Shared Device.
  • Knox Cloud SDK — The Knox Cloud SDK enables you to configure Samsung devices through web-based REST API calls. Again, due to very low usage, we are deprecating this feature. Instead, you can use the more powerful, up-to-date, and device-based Knox SDK or Knox Service Plugin.

Also, this feature is not longer available due to security reasons:

  • Install apps — Previously, end users could move an app from the Personal space to the Work space (managed profile), through the Work space settings > Install apps menu option, which is enabled through the API method RCPPolicy.allowMoveAppsToContainer. As customers have raised concerns about the security of unmanaged apps, we have removed the menu option and API. Now, if you need to install apps into the Work space, you need to use either Google Play or the API InstallApplication.

What is the deprecation timeline?

If you have new devices with Android Q (Android 10), you will not be able to use these features anymore.

If you have devices with Android P (Android 9) or earlier, you can still use these features. Details are as follows:

  • Samsung SSO (Kerberos) and AD container—You can still use these features after a Q OS upgrade. But the features will not be available in Android R.
  • Knox Shared Device—Shared Device has been enabled only through Knox Configure (KC). Shared Device will be unavailable from Android Q onwards, and cannot be enabled by Knox Configure. However, if you are already using Shared Device, you can still use it after a Q OS upgrade, but you can use Knox Configure only to disable it. The Knox Configure console will show the supported OS version for Shared Device, and provide Shared Device only for the devices which have supported OS.
  • Knox Cloud SDK—This will not be supported on Android Q devices. Additionally, on:
    • February 26, 2020—We will be ending support for Cloud SDK across all devices. That is to say, users will no longer be able to create or edit existing Cloud SDK profiles after this date. Users will also not be able to assign an existing Cloud SDK profile to a new device.
    • May 27, 2020—Existing Cloud SDK devices that have been factory reset will no longer be able to be enrolled via the Cloud SDK.

Deprecated APIs

To improve SDK usability and maintainability, we have continued to deprecate APIs that are not being used, as per our API usage analytics.

Below are the API classes that have some deprecated APIs. Note though that not all APIs in these classes are deprecated. For a complete list of the API methods that have been deprecated, see Deprecated API methods.

  • Device management—PasswordPolicy, APMPolicy, DeviceInventory
  • Networking—BluetoothSecurePolicy
  • App management—ApplicationPolicy
  • Email management—LDAPAccountPolicy
  • Data protection—DLPManagerPolicy
  • Keystore and certificate management—EnterpriseCertEnrollPolicy
  • Knox workspace—KnoxContainerManager, ContainerConfigurationPolicy, SEAMSPolicy, RCPPolicy
  • Customization—SystemManager, SettingsManager

The API Reference also indicates which classes and methods are deprecated with the note, Deprecated in API level 30.


  • Old SDK namespace no longer supported—As mentioned in our June 13 blog post, new Samsung devices running the Android 10 (Q) operating system no longer support our old SDK namespace. For info about migrating apps from the old to new SDKs and namespaces, see the migration intro.
  • Apps must handle runtime permissions—As mentioned in our May 28 blog post, apps must now handle dangerous permissions in runtime as Android 10 (Q) no longer supports the workaround that we had introduced in Android 6 (M).

Knox SDK 3.4 (Knox API level 29)

August 2019

Samsung Knox SDK version 3.4 extends our leadership in advanced security, innovative usability, and comprehensive device management for our partners, developers, and enterprise customers. Read on for more info about these new features in the 3.4 release.


Knox 3.4 includes enhancements to Dual Data-at-Rest (DualDAR) encryption, which released in Knox 3.3. With this release, DualDAR provides improvements to availability, performance, and security.

  • Zero Day support: IT admins are now empowered to use DualDAR features the moment they're released. Through the Knox Service Plugin (KSP) and Knox Mobile Enrollment (KME), IT admins can now create DualDAR workspace containers and configure policies, before UEM providers include customized DualDAR support through their web consoles. For more, see the Release Notes for KSP and KME.
  • Device Encrypted Storage: To enhance app stabilization, work apps can now write to DE storage by default. DE storage is available both during Direct Boot mode and after the user has unlocked the device. The default value for the configurable parameter DE restriction in the DualDARPolicy class is now set to false. To restrict writes to DE storage, you must create a package allow list and set the value for DE restriction to true.

For additional information on new DualDAR features included in the Knox 3.4 release, go to the UEM integration guide. For information on how to implement a custom solution to leverage control over your security, visit the new ISV integration guide.


Samsung is extending its device attestation solution to improve the way we check for devices that are rooted or running unofficial firmware.

With this Knox 3.4 release, we are launching Attestation v3, which provides these features:

  • Better correlation of results: Through the use of the Samsung Attestation Key (SAK), which is unique with every device.
  • Better device status diagnostics: Through enhancements to our server-side validation check logic.

For details, see Attestation (v3), the Tutorial, the new EnhancedAttestationPolicy class, and v3 REST API.

Deep Settings Customization

Samsung already provides extensive Knox SDK APIs to configure a wide range of features on our mobile devices. To enable rapid, zero-day adoption of the new features, you can also use the Knox Service Plugin.

You can customize device settings such as:

  • location tracking
  • Wi-Fi and NFC control
  • status bar notifications
  • biometrics and security

For more information about:

  • how enterprises IT admins can configure new device features using the Knox Service Plugin, see the Admin Guide.
  • how developers can add the Knox Service Plugin to their web consoles, see Managed Configurations.

DeX Management

The Knox 3.4 release includes new DeX customization features made available through the Knox Service Plugin. You can:

  • Hide certain app icons.
  • Customize the DeX Panel.
  • Turn the Suggested Apps on or off.
  • Turn the Mouse Cursor Flow on or off.
  • Turn the Keyboard toolbar and Predictive text on or off.
  • Skip the DeX welcome screen.
  • Hide the Samsung DeX launcher icon from the quick panel.

See how enterprises can customize DeX by browsing the KSP Admin Guide, and how developers can deploy the Knox Service Plugin by browsing the guide. For info about DeX features that can be managed through the Knox SDK, see Samsung DeX and Knox and the DeXManager class.

Custom names for Personal and Workspace tabs

Knox 3.2.1 originally introduced a tab-based UI for Personal and Workspace apps.

With Knox 3.4, IT admins can now customize the names of the Personal and Workspace tabs.

Developers can support this feature using the Knox SDK API setCustomResource(). This displays custom text in the tabbed view in place of the default Personal and Workspace labels. To learn more, see Custom tab names.

APN Mobile Virtual Network Operator

Starting with Android 9.0 (Pie), you must configure the APN Mobile Virtual Network Operator (MVNO) for some carriers and SIM cards.

With Knox 3.4, you can use ApnSettings to configure the MVNO type and value for a device. For devices with Android 9.0 but Knox 3.3 or earlier, you can use reflection to set these values. For details, see Access Point Name.

Deprecated features


The Knox VPN SDK was designed for VPN service providers, to create apps that can handle requests to set up VPN tunnels through their proprietary infrastructure. The Knox VPN SDK has already been merged into the Knox SDK v3.3, through the package With this Knox SDK v3.4, the Knox VPN SDK is obsolete and all VPN SDK functionality must be accessed through the Knox SDK. This change provides these key benefits:

  • simplifies the development workflow for developers
  • further strengthens the capabilities of the Knox SDK
  • simplifies the licensing flow required to use the VPN APIs. Going forward, all VPN APIs are activated with the same license key as the Knox SDK – the Knox Platform for Enterprise key

If you are using the Knox VPN SDK, you need to update your apps or services to reflect this change. You do not have to update any API packages, classes, or methods, as these remain the same. You do need to import the Knox SDK library and change the old namespace (com.sec.vpn.knox) to the new namespace (

For general information about updating an app to use the Knox SDK v3.x, see the migration tutorial. For details related to VPN apps, see VPN namespace changes.

Knox Workspace containers

Starting with Knox 3.0 in Android O, we began harmonizing the Knox Platform for Enterprise (KPE) with Android Enteprise (AE), to simplify your deployment of solutions across all Android devices. With harmonization, you can apply advanced and differentiated KPE features to AE Work Managed Devices and Work Profiles.

To this end, we are now deprecating the Corporate Liable (CL) mode of the Knox Workspace container on the Note 10 and later devices. The Corporate Liable mode will however continue to work on S10 and earlier devices, even if they are upgraded to Knox 3.4.

Instead of the Knox Workspace container, deploy these AE use models:

  • Work Managed Device (as a DO) and Work Profile (as a PO). This replaces the Corporate Liable mode being deprecated with the Note 10 onwards.
  • Work Managed Device (as a DO). This replaces the Container Only Mode (COM) that was deprecated with the S10 onwards.

To apply Knox features to any of these AE use models, activate a KPE license. For details, see the tutorial Apply Knox features to Work Profile.

Knox SDK 3.3 (Knox API level 28)

March 2019

Samsung Knox SDK version 3.3 adds even more APIs and framework features for developers, MDMs, and users. APIs have been added to provide functionality to container encryption, Samsung DeX, and Network Analytics. Knox is built and secured at a hardware level, and with the Knox 3.3 SDK, Samsung Verified Boot now monitors and protects the boot loading.


With single layer of encryption, potential flaws in the implementation may result in a single point of failure. Dual Encryption (DualDAR) secures confidential work data with two layers of encryption, while providing security even when the device is powered off or is in an unauthenticated state. DualDAR enables highly regulated enterprises to ensure their confidential work data is protected by meeting the Commercial Solutions for Classified Program (CSFC) regulation.

For more information on the new Knox 3.3 Dual DAR feature, learn how to configure a DualDAR Workspace.

Container Only Mode (COM) deprecation

Container Only Mode is obsolete as of the Galaxy S10 or later devices.

Note: Samsung Note 9/S9 devices or earlier with COM/ CL containers will be supported throughout the life of the device. For more information, see this bulletin notice.

Knox on DeX

Samsung DeX has new features and APIs to give and restrict access using the Knox platform. For API implementation, see Samsung DeX with Knox and the Knox 3.3 API reference guide.

VPN namespace changes

With the Knox SDK v3.0 release, all apps must use the new Android namespace conventions, as described in IMPORTANT NOTICE: Reminder to transition from old namespaces. The Knox VPN SDK still uses the old namespace conventions. Following the Android Q and Knox SDK 3.4 releases in the later part of 2019 or the early part of 2020, this merge requires VPN clients to update their clients to using the new namespaces. For more information on updating your VPN clients to use the new namespace, see VPN namespace changes. For more information about this change and how it impacts your VPN clients, see (link to blog post TBD).

VPN improvements and enhancements

Knox SDK v3.3 includes several enhancements that improve user experience and performance of VPN clients on the Knox framework. The enhancements include, but are not limited to the following:

  1. Support multi-app tunnelling: These enhancements improve user experience when using VPN tunnels that impact more than one app at a time. As a result of these enhancements, users can connect with and start using business apps immediately after the VPN tunnel is established.
  2. Synchronize Knox events with Android networking events: These enhancements improve the performance of VPN clients by synchronizing Knox events with Android networking events. This change means that the Knox container recognizes that the VPN client is connected without any delay.
  3. Provide ongoing network flow information for NPA purposes: This new feature improves the performance of EMM-based Network Performance Assessment tools by providing information about network data flow while the connection is ongoing. This feature means admins now have the ability to configure their EMM-based NPA tools to receive network statistics while a network connection is ongoing. This functionality is especially useful in cases where network sessions last for a long time. For more information, see Configure NPA reporting.

Firewall support

Knox SDK 3.3 now supports the interaction between DomainFilter rules and Firewall policies on a specified device by introducing a new API enableDomainFilterOnIptables() that enables this new feature.

Without this feature enabled, Firewall policies can affect allow list rules applied by Domain Filter. After enabling this API, admins can do the following use cases:

  • Use FirewallRule to block all IPs in a specified device.
  • Use the DomainFilterRule() to allow specific domains even if the IPs are blocked using Firewall policies.

To learn more about this new feature, visit the Firewall section of the Knox SDK user guide.

Contact Storage restrictions

Take control over where device contacts are stored. Remove the risk of local contacts which can be lost and become out of sync to your cooperate enterprise. For API implementation, see contacts storage and the Knox 3.3 API reference guide.

Knox SDK 3.2.1 (Knox API level 27)

December 2018

Knox SDK version 3.2.1 release has three major improvements to better improve security and device management. Firstly, new APIs have been developed for this release to allow more functionality in device management. Secondly, Knox Platform for Enterprise is built on the Android operating system, and with Knox v3.2.1 we leverage the Android Pie operating system to provide even more capabilities on a Samsung device. Finally, framework improvements have been added to the SDK to better optimize performance behind the scenes so you can focus on development.

New API overview

Class API methods and variables
BasePasswordPolicy setResetPasswordToken (ComponentName admin, byte[] token)
clearResetPasswordToken (ComponentName admin)
isResetPasswordTokenActive (ComponentName admin)
resetPasswordWithToken (ComponentName admin, String password, byte[] token, int flags)
getTrustAgentConfiguration (ComponentName admin, ComponentName agent)
setTrustAgentConfiguration (ComponentName admin, ComponentName target, PersistableBundle configuration)
EnterpriseDeviceManager getBasePasswordPolicy ()

For more information on Knox APIs see the full set of Knox API references. In addition to new Knox APIs for the Knox SDK v3.2.1 release there were also deprecated APIs. See deprecated API methods for a full list.

Certificate Provisioning

The Knox SDK features the CertificateProvisioning class, which supports IT Admins in managing certificates and keystores. Beginning with Knox 3.2.1, certificate installations with the KEYSTORE_DEFAULT flag will no longer require the user to unlock the device.

For details, see the API installCertificateToKeystore(), which allows the IT admin to silently install a CA certificate into a given keystore. To learn more about certificate provisioning, see About Keystores.


There are two major improvements to the Knox Platform for Enterprise's password class:

  • The following Android APIs now exist on the Knox Platform: setTrustAgentConfiguration and getTrustAgentConfiguration. The addition of these methods preserve the functionality of calling these APIs as device admin.
  • The following APIs have been added as an alternative to resetPassword() to allow programmatic password modification without IT admin interaction: setResetPasswordToken, clearResetPasswordToken, isResetPasswordTokenActive, and resetPasswordWithToken.

For more information on Knox passwords, see the password section of the developer guide.


The Keyboard security framework has received a major usability upgrade while maintaining security between the personal and work profiles. Unlike Android Enterprise, Knox Platform for Enterprise allows users to choose their own IME in the personal space without the risk of leakage into the work space by separating the IMEs. Learn more about this update to the keyboard framework for KPE.

VPN Enhancements

Audit Log

The Knox Generic VPN Framework enables common audit logs for VPN clients and helps non-native VPN clients meet NIAP security requirements.

To learn more about the types of events that are logged, see VPN Audit Logs.

Performance Improvement

The Knox SDK has the GenericVpnPolicy class which allows IT Admins to configure SSL/IPSEC VPN profiles on multiple devices.

This release adds a number of enhancements to VPN, including:

  • Performance optimization to increase the speed of establishing VPN connections for a large number of apps.
  • Synchronization of VPN connection and firewall configuration events. This ensures that VPN connection is established only after firewall has finished preparing for VPN mode.

UI changes

Mini launcher

The Knox SDK Release 3.2.1 removes the mini launcher used to open the Knox Workspace and replaces it with a tabbed UI view. Apps now display in two categories: Personal and Work (Knox Workspace). Users can seamlessly switch between the Personal and Work tabs on the Home page.

To learn more about the tabbed UI view, see Tabbed UI View.


The Knox SDK Release 3.2.1 includes changes that let users open the Knox Workspace Settings right from the devices's Settings.

To learn more about this change, see Workspace Settings.

Knox SDK 3.2 (Knox API level 26)

August 2018

Knox SDK 3.2 introduces a variety of new features and capabilities for users and developers. This page highlights what's new for developers.

New API overview

Class API Method

public int setHomeAlignment(int mode)

public int getHomeAlignment()

addURLShortcut(int x, int y, String title, String url, ComponentName component)

addURLShortcut(int x, int y, String title, String url, String imgName, ComponentName component, ParcelFileDescriptor imgFD)

removeURLShortcut(String url, in ComponentName component);

setForegroundModePackageList(int state, in List<String> pkgList);

List<String> getForegroundModePackageList();


public int startProKioskMode(String packageName, String passCode)

public int stopProKioskMode(String passCode)


public boolean allowBLE(boolean allow)

public boolean isBLEAllowed()

public boolean allowWifiScanning(boolean allow)

public boolean isWifiScanningAllowed()

PhoneRestrictionPolicy public Bundle getRCSMessage(long id)
NetworkAnalytics public int start(String profileName, Bundle flowTypeBundle)
EnterpriseDeviceManager public static int getUserId(UserHandle handle)

public int getErrorCode()

public int getTimeout()

DeX management APIs

DeX management APIs allow you to increase productivity and decrease costs by using your Samsung Device to switch to a PC like environment with ease.

setHomeAlignment – This API allows IT Admins to modify the way apps are aligned in DeX mode. For example, you can align apps in a preferred order. This is perfect for organizations that want to set up numerous identical workstations throughout their organization.

addURLShortcut – This API allows IT Admins to add a browser shortcut with a specific URL on the DeX home screen. This is useful for enterprises that require users to access a URL frequently – for example, an internal Intranet network. A customized icon can also be displayed.

Connection APIs

In many situations, IT Admins may need to completely disable Bluetooth or Wi-Fi, and not just prevent the user from toggling it on or off. This can now be done with: allowBLE() and allowWifiScanning(). This can increase security by preventing any malicious Bluetooth or Wi-Fi attacks from remotely trigging these services usingbackground usage.

  • Turn off Wi-Fi background scanning: Use allowWifiScanning() to completely turn off Wi-Fi and Wi-Fi background scanning.
  • Turn off Bluetooth background scanning: Use allowBLE() to completely turn off Bluetooth and Bluetooth scanning.

These options are shown in the settings screen below.

Enhancement APIs


The updated ProKiosk Manager API lets you enable ProKiosk Mode without having to reboot the device. This saves IT Admins time when they have to set-up Prokiosk mode on a large batch of devices.

Class API method

public int startProKioskMode(String packageName, String passCode)

public int stopProKioskMode(String passCode)

Rich communication services (RCS) message capture API

RCS messaging is a new messaging protocol which is replaces SMS as the default messaging platform for carriers. It adds much needed features – such as group messages – and allows users to send more types of media. All of this is done over data instead of cellular network, making it very similar to current IM apps that can be downloaded from the Play Store.

Knox 3.2 allows IT Admins to capture and record RCS messages (including attachable multimedia files). For many industries, such as the financial services, the ability to record and audit sent and received messages is required by law.

GetRCSMessage allows IT Admins to:

  • Start RSC capture
  • Stop RSC capture

UCM SDK merged to Knox SDK

As of Knox 3.2, The UCM SDK will be merged into the Knox SDK. New permissions are defined to streamline the license activation flow and make using both products easier. Vendors need to implement their UCM app with these new permissions, but do not have to change any APIs.

New UCM permissions All the UCM features will be granted with this new UCM permission(KNOX_UCM_MGMT)

Knox SDK 3.1 (Knox API level 25)

March 2018

DeX management APIs

Samsung DeX is a revolutionary new technology that allows users to transform their mobile devices into powerful enterprise desktop machines with a simple docking station. As DeX becomes more popular among enterprises, there is growing urgency to provide IT admins with the same degree of granular management policies available for Samsung devices as a whole. For the 3.1 release, the Knox team is providing the following DeX-specific management APIs:

Add or remove app shortcuts

This feature allows enterprises to provide even more distinctly different mobile and desktop home screen differences.

Change the Dex loading screen

Devices play a default animation while launching in DeX mode. Knox 3.1 provides APIs that allow you to add images and other branding assets to replace default Dex loading logo. Create a more customized user experience with this new DeX feature.

Control screen timeout settings

The Knox SDK provides you with the flexibility to balance security concerns with convenience. You can set a screen timeout that ranges from seconds to weeks depending on your enterprise security policies.

Enforce Ethernet data connection

This feature ensures that users are running certain productivity apps using a secure Ethernet connection by preventing them from connecting to mobile data or Wi-Fi while in DeX mode.

Prevent certain apps from running in DeX

Disable personal apps, such as social media and games, while the device is in DeX mode. These APIs don’t affect devices after they’ve been disconnected from the DeX station. For more detailed information regarding these new APIs, including requirements and sample code, see the Knox SDK Developer Guide and Knox SDK API reference.

If you want to prevent DeX mode in an enterprise setting, you also easily disable DeX with the Knox SDK.

App Permission Monitor updates

App Permission Monitor is a feature enabled by default that alerts end users when apps attempt to access a predefined permission while running in the background.

The Knox 3.1 SDK includes two new management features for the App Permission Monitor.

Enable and disable access to App Permission Monitor

By design, enterprise apps may need to constantly access certain sensitive permissions while running in the background. For the peace of mind of your users, you may want to disable App Permission Monitor.

If you want to ensure that users are conscious of apps which may be requesting device permissions while running in the background, you can also enable access to this feature.

Add or Remove specific apps from the App Permission monitor list

For security and compliance purposes, your enterprise apps may request access to permissions such as location while running in the background. For example, your app may include a geofencing feature that prevents users from using the camera while at the office. You may want to remove enterprise apps from the monitor list to distinguish them from potentially harmful third-party apps that are requesting the same types of permissions while running in the background.

Knox SDK 3.0 (Knox API level 24)

January 2018

This Samsung Knox SDK v3.0 release provides significant improvements to the developer experience as well as powerful new features, which are described below.

Samsung Knox SDK

The new Samsung Knox SDK combines, refactors, and enhances these Samsung Knox SDKs:

  • Knox Standard
  • Knox Premium
  • Knox Customization
  • Knox ISV

There is now only Samsung Knox SDK package to download, one JAR library to import, one API Reference to search for API methods, and one Developer Guide describing how to use the SDK features. This new SDK also consolidates the following:

  • Version — As the merged SDKs had different SDK version numbers, the new Knox SDK uses a single 3.0 version number and Knox API level 24. The Knox API level is similar to the Android API level. Each Knox SDK version has been mapped to this Knox API level. To find the API level supported by a device, call the API method EnterpriseDeviceManager.getApiLevel. In the device Settings > Device > Software Info, the Knox version now shows this Knox API level.

  • Namespace — All Samsung Knox SDK packages, intents, and permissions now use this namespace: Previously, there were multiple namespaces, including one in the Google domain ( Unifying the namespace simplifies coding, troubleshooting, and support, and removes the possibility of future overlaps with Google.
  • Structure — API methods have been re-organized for better discoverability and renamed for consistency. The API methods that were in the generic class called MiscPolicy have been moved into more appropriate classes. Some classes have been renamed. For example, Attestation is now called AttestationPolicy for more consistency with other class names.
  • Deprecation — In the new consolidated Knox SDK, we have removed API methods that were already deprecated in the legacy Knox Standard, Premium, Customization, and ISV SDKs. We’ve also removed API methods that were duplicated across legacy SDKs or not being used as indicated by our analytics. This was to streamline the new Knox SDK and ease usability moving forward. The Knox 3.0 platform installed on devices still supports these deprecated API methods. However, we discourage using these API methods as we will likely remove support for them in the near future. For a list of the deprecated API methods, see the Samsung Knox SDK Migration Guide.

For more about updating namespaces and replacing deprecated API methods for this new consolidated Knox SDK, see the Samsung Knox SDK Migration Guide and Knox SDK Sample Apps.

Knox Platform for Enterprise (KPE) license key

Knox 3.0 uses a Beta version of a new consolidated Knox Platform for Enterprise (KPE) license key, which is designed to replace the following licenses.

  • ELM — Enterprise License Management. This license gives developers access to the enterprise-grade Knox Standard SDK.
  • ISV — Independent Software Vendor. This license gives developers access to basic security features in the Knox ISV SDK.
  • KLM — Knox License Management. This license gives developers access to paid features in the Knox Premium and Knox Customization SDKs.

There 2 types of Samsung License:

  • Development — Gives you access to all features in the Knox SDK, but only on a limited number of devices and for a limited time period. This is meant for testing purposes only. You can get this Development license through the SEAP portal.
  • Commercial — When you are ready to release an app on many devices for a longer time period, you use a Commercial license. If your app uses:
    • only free features (in other words, those that were in the Knox Standard and ISV SDKs) — You can generate a Commercial Knox Platform for Enterprise (KPE) license key from the SEAP Portal.
    • paid features (that were in Knox Premium and Knox Customization SDKs) — An authorized Knox Reseller or EMM Vendor buys Commercial licenses from the Global Samsung Business Network (GSBN). They do so on behalf of each enterprise customer so that license activations can be tracked and billed separately.

Knox 3.0 also introduces Android-style permission declaration. You can optionally declare at a granular level the permissions that your app needs to call API methods in the Knox SDK. This is to tighten security, by limiting what an app can do. To use this new permissions model, update your Android manifest file (AndroidManifest.xml) to include these tags:

  • <meta-data>: to enable Knox selective permissions
    • For example: <meta-data android:name="" android:value="true"/>
    • not required for KPE. Optional for ELM & KLM.
  • <uses-permission>: to declare each permission used by the app
    • for example: <uses-permission android:name=""/>

Here is a sample manifest file:

To find out which permission is needed by an API method, see the Knox SDK API Reference. For example, the permission can be found in createContainer.

See also:

  • License Keys — to generate a license and see what permissions (free or paid) you get with the license
  • Knox licenses — for more about the new Knox Platform for Enterprise (KPE) license key

New Knox Workspace container architecture

We’ve updated the Knox Platform for Enterprise solution with a new Workspace container architecture to enhance user experience.

  • Knox APIs can now control Android Work profiles.
  • Android Work Profiles can easily be upgraded to Knox Workspace without wiping your device.

As part of this change, customers can leverage Knox features and APIs on Android’s Work Profile and Work Managed Device modes. The:

  • Profile Owner can activate a Knox License and leverage Knox features on Android Work Profile
  • Device Owner can activate a Knox License and leverage Knox features on Android Work Managed Device

For an example of how to apply a Knox license to a work profile, see this Tutorial.

Network Platform Analytics

This feature enables the real-time monitoring of a network flow behaviours without granting access to all network data. Using NPA has much better privacy claims than using VPN or proxy technology alternatives to analyse traffic. In addition, NPA can provide more granular data than VPN or web proxy solutions. Management apps, such as MDM clients, can call NPA APIs to register a network analyser to collect metadata about network data flows. Once registered, the analyser then receives flow details that allow the app to analyse network patterns without exposing the analyser to sensitive network data such as plaintext passwords, business documents, or employee communications.

Knox 3.0 introduces these new features:

  • Full IPv6 support
  • DNS lookups are now associated with the app that requested them
  • Parent process hash is now included in the netflow data

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

Device Customization

The Knox SDK lets Systems Integrators develop an Android app that restricts what users can do on a device. You can configure new features as they release on new Samsung devices and Android versions. This is designed for System Integrators who need an extra level of configurability on the Samsung Android platform.

With Version 3.0 of the Knox SDK, you can configure features in the Android 8.0 Oreo release:

  • Hard key remapping (setHardKeyIntentState, getHardKeyIntentState) — Controls whether or not the pressing of a particular hard key (power, volume up, volume down, home, back, menu) broadcasts an intent, which can be handled by the registered broadcast receivers. This feature was previously supported only in ProKiosk mode, through the API package, but is now also available outside of ProKiosk mode, through
  • Home screen mode (setHomeScreenMode, getHomeScreenMode) — Selects whether a device supports:
    • Home screen only — The home screen is the only place where you can launch apps, and can't be deleted unless there are no app shortcuts on it.
    • Home screen with separate app launcher screens — The home screen page can be deleted because the app launcher screens also display all app shortcuts that are on the home screen.

Deprecated API Methods

The following API methods have been deprecated in this release:

API Class Deprecated API Method Reason


Outdated feature
SystemManager copyAdbLog
Outdated feature

The following API methods will be deprecated from the Knox SDK within a year. Please prepare to stop using these as well.

API Class To be deprecated Reason
AdvancedRestrictionPolicy enableODETrustedBootVerification
Overlap with Android APIs
RestrictionPolicy enableWearablePolicy
Low usage
SettingsManager set/getBackupRestoreState
Low usage
SystemManager getToastGravityXOffset
Low usage

Also note the following:

  • Consolidated (One) SDK — API methods were deprecated due to redundancy across SDKs or low usage. For a full list of these API methods, see the Samsung Knox SDK Migration Guide.

  • Unification — API methods were deprecated due to overlap with Android Enterprise.

For more information ...

To learn more about the Knox SDK, check out these resources: