Back to top

Knox SDK 3.10

Last updated October 30th, 2023

October 2023

The Knox 3.10 platform introduces these new features:

Improvements to Separated Apps

Separated apps allow you to separate third-party apps from corporate apps on fully-managed devices by putting them in a separate area. Knox 3.10 expands the capabilities of Separated Apps as follows:

  • Usability enhancements — Starting with Android 14, the Separated Apps display in full-screen mode which enables more apps to be viewed on the screen compared to the previous folder view. The apps in the separated area have a badge to distinguish them from those outside the container. Any apps not included in the allowlist are uninstalled from the separated apps area.

  • Apply policies using Managed Configurations — You can configure the policies using a Managed Configuration agent in addition to KSP. However, if the policies are declared using both Managed Configuration and KSP, KSP policies get overridden by the Managed Configuration agent policies.

Enterprise Certificate Management using ACME protocol

ACME protocol helps validate the devices to issue the enterprise certificates. The IT admin initiates a hardware-bound-key based certificate provisioning process by sending an ACME command to the target device through their EMM. Then, Knox framework handles the ACME certificate provisioning process. It acts as an ACME client by interacting with the enterprise ACME server. The ACME server is connected to enterprise Certificate Authority (CA) server. In the ACME process, Samsung Knox device attestation certificate is used for device validation.

Samsung Knox supports enterprise certificate provisioning using ACME protocol as follows:

ACME authentication

  1. Enterprise IT sends an ACME certificate provisioning command by providing an ACME profile with key properties, certificate information, client identifier, and ACME server information.
  2. EMM agent initiates an ACME process by calling Knox ACME API with the profile.
  3. Knox framework sets up an ACME server connection.
  4. ACME server requests validation from the device using its attestation certificate.
  5. Knox framework generates a hardware bound key pair for ACME certificate request.
  6. Knox framework retrieves a Samsung Knox device attestation certificate.
  7. The device attestation certificate and a CSR are sent to the ACME server.
  8. ACME server validates the device challenge response by verifying the device attestation certificate.
  9. ACME server issues an enterprise certificate.
  10. Knox framework installs the enterprise certificate to device.

Device settings

Support for advanced configuration of dual-SIM devices

Most modern devices support two SIM cards, one of which maybe a digital eSIM. With the new Knox 3.10 platform, IT admins can configure specific SIM card slots on their enterprise devices. They can use the Allow dual SIM operation policy available in the Knox Service Plugin (KSP) solution to turn off SIM card slots on the enrolled devices. The SIM manager screen on the device automatically updates to reflect this change.

Ability to set the Standard mode for device settings

Tablets and foldable devices support the standard and multi-view modes for apps. The Settings app opens in the multi-view mode by default. In this multi-view mode, it shows under a single activity name on the device. If a user updates any individual settings within the app, the IT admins are unable to view and track associated individual activity names.

With Knox 3.10 release, IT admins can set the Settings app to launch in the Standard mode on tablets and foldable devices, allowing them to track all activities and control users’ access to individual settings. Refer to the setForceSingleView, and getForceSingleView APIs for details.

Audit log enhancements

Knox 3.10, helps you find useful log information easily. This release provides more legible audit log data by centralizing all audit log messages into a single file. For more details, please refer to AuditEvents.

UCM Keystore and Keyguard enhancements

Samsung’s Universal Credential Management (UCM) provides a future-proof plug-and-play framework to ease the management of credentials across a variety of different possible storage media. In particular, it provides higher mobile security by supporting the storage and management of major certificates and credentials in eSE.

In Knox 3.10, keyguard and keystore functions with the addition of following APIs:

  • getKeyguardPinMaximumLength, setKeyguardPinMinimumLength

  • getKeyguardPinMinimumLength, setKeyguardPinMinimumLength

  • initKeyguardPin

  • getKeyguardPinMaximumRetryCount

  • changeKeyguardPin

UCM keystore now supports AES, ECDSA (NIST and Brainpool curves), and HMAC cipher and signature algorithms.

API deprecation

As part of Samsung’s ongoing upkeep and maintenance of services, we deprecate Knox APIs from time to time. We recommend that you replace newly deprecated APIs before they are removed permanently

The APIs deprecated in Knox 3.10 will work normally for Android 14. You can view the complete list of Deprecated API methods in Knox developer documentation.

Technical support for the deprecated APIs is available for up to one year after the deprecation. The APIs continue to be available in the second year after deprecation, but satisfactory operation is not guaranteed. Please see API deprecation journey for details.

For more information

To learn more about the Knox SDK, check out these resources:

Is this page helpful?