Knox SDK 3.6
The Knox 3.6 platform advances Samsung’s commitment to helping you customize and secure mobile devices, by introducing these new features:
Hardware key mapping for the Galaxy XCover series to enable the XCover and Top hardware keys to launch specific apps
Additional Deep Settings Customization for granular control over the settings users can and cannot access through the Settings app
Samsung Dex foreground app intents to enable an app to customize actions based on whether it is in focus during DeX dual mode
Quick Panel control over the Daily Board, to prohibit devices from showing potentially sensitive content such as calendar events and photos while charging
- advanced Knox VPN capabilities for work profiles in Profile Owner mode, for organizations with PO deployments
- certificate authentication for USB-tethered laptops using the defense-grade Knox mobile VPN network
- firewall configurations based on network interfaces such as wlan0 or eth0
As with past releases, new features are offered through either the:
Knox Service Plugin (KSP), which provides new features on the day of release to IT admins using UEM solutions supporting KSP, or
Knox SDK, to provide more powerful programmatic and integrated control to developers creating app solutions
Knox platform, which is factory-installed on Samsung Knox devices
Read on to find out more about how you can benefit from the new Knox 3.6 features.
XCover Pro hardware keys
Get the most out of the new ruggedized Samsung XCover devices by customizing the XCover and Top hardware keys.
The latest version of the Knox Service Plugin lets you:
- Set up short or long key presses to launch selected device apps
- Disable hardware key options in a device’s Android Settings menu
Deep Settings Customization
This release expands the list of deep settings introduced with Knox 3.4, delivering options to configure the following settings through the Knox Service Plugin.
|Setting||Description||Customize through KSP policy group||Options|
|Wi-Fi Direct||Allows two devices to establish a direct, peer-to-peer Wi-Fi connection without requiring a wireless router.||Device Restrictions||Allow / Do not allow|
|Keyboard language shortcut||Allows virtual keyboard shortcuts to change the keyboard language.||Configure values in settings menu||On / Off / Use specific value / Allow user to modify setting / Hide setting|
Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities. Coming soon: Deep settings to manage Picture-in-Picture and DeX monitor resolution.
DeX foreground app
Samsung DeX in dual mode increases mobile productivity, letting you use a device while presenting separately on an external display.
You can now check if an app is in the foreground while in dual mode. One use case for this is in a banking scenario, where a banking customer is using a tablet and a bank employee is using the connected monitor to access an internal banking app. An app can now determine if it is currently in focus or not, and customize actions available to the app user.
Use the Knox SDK to check the focus state:
Monitor the focus of an app’s package with ApplicationPolicy.addPackagesToFocusMonitoringList().
Inspect the ACTION_APPLICATION_FOCUS_CHANGE intent when a focus change occurs for that package.
Extract the new EXTRA_APPLICATION_FOCUS_DEX_MODE field from the intent. The value is true if the app is in focus.
For more about using the Knox SDK to control DeX features, see Samsung DeX and Knox.
Quick Panel display of Daily Board
Through the Knox SDK, you can control what appears on a device’s Quick Panel, which is shown when you swipe down from the top of the screen. With this Knox 3.6 release, you can show or hide the button used to configure the Daily Board, which tablets can use while charging to display the time, weather, calendar events, and photos. For security reasons, you can prevent users from enabling or configuring the Daily Board through the Quick Panel. Use the following API constant:
- CustomDeviceManager.QUICK_PANEL_DAILY_BOARD — The Daily Board option on a device’s Quick panel.
For more about how to show or hide this button, see SystemManager.setQuickPanelButtons.
Knox VPN in work profiles
This feature was deprecated with Knox SDK v3.8.
The Android VPN Management for Knox app extends the capabilities of the built-in Android VPN client, which provides only basic configuration as seen in the Android Settings app. The Knox app enables many more advanced Knox VPN capabilities on Samsung Knox devices.
Previously, the Android VPN Management for Knox app supported only Device Owner (DO) mode. Knox 3.6 now supports Profile Owner (PO) mode, enabling the same advanced Knox VPN capabilities from within a work profile. When installed inside a work profile, the new Knox app (v3.0.5) accesses an end-user/CA certificate inside the PO keystore to secure data transmission from within the work profile.
To deploy the new Android VPN Management for Knox app in a work profile:
- Log in to Knox Developer Dashboard.
- Download the new Android VPN Management for Knox APK.
- Configure a UEM profile to push and deploy the APK in a work profile.
The new Knox app is backwards compatible with devices running earlier, pre-3.6 versions of Knox.
For more info about the:
- advanced Knox VPN capabilities, see the Knox White Paper
- Knox VPN framework, see the Developer Guide
Certificate-based authentication for USB-tethered laptops
With Knox 3.5, Samsung Knox devices could extend a VPN tunnel to a laptop connected through USB. This provided laptop users with the ability to access internal enterprise resources using our defense-grade mobile VPN network. In addition to providing convenience when laptops do not have network connectivity, this offers company cost savings by removing the need to buy additional VPN licenses for laptops.
Knox 3.6 enhances this feature with better security and control. In terms of security, there is a new app that enables Samsung Knox devices to verify that a laptop is owned by the device user. When the user connects a laptop to a Samsung Knox device via USB, the app validates the user certificate on the laptop with allowed certificates installed by the IT admin on the device.
To deploy the new app to authenticate connected laptops:
- Log in to Knox Developer Dashboard.
- Download the new USB Tethering Authentication for VPN APK.
- Configure a UEM profile to push and deploy the APK to devices.
- Identify the certificates of laptops allowed to connect via USB to each device for VPN access.
The APK provided on the Knox Partner Portal supports only Samsung One UI flagship devices such as the Galaxy S/A/J and Tab S/A. We also have One UI Core devices such as the A21, Tab A7, M51, M31s, and A12. To deploy USB-tethered VPNs on a One UI Core device, please contact us to get another APK that uses a different Samsung platform signing key.
The Knox SDK v3.6 provides the following new API methods and constants to configure USB-tethered VPNs:
GenericVpnPolicy.allowUsbTetheringOverVpn — Allows or disallows traffic from a USB-tethered laptop to go through a VPN profile. A Bundle parameter identifies the certificate of a laptop allowed to use the VPN.
GenericVpnPolicy.isUsbTetheringOverVpnEnabled — Returns true if a specified USB-tethered laptop can send traffic through a specified VPN profile.
KEY_TETHER_CA_CERTIFICATE, KEY_TETHER_USER_CERTIFICATE, KEY_TETHER_USER_CERT_PASSWORD — Identifies the CA certificate, user certificate, user certificate password of a USB-tethered laptop allowed to use a VPN profile.
For additional information about configuring VPN profiles, see About Knox VPNs.
Firewall based on network types
Samsung Knox already provides granular control over firewalls on Samsung Knox devices. You can allow or prevent devices from sending or receiving data using specific IP addresses, port numbers, port locations, app identities, network interfaces (mobile, Wi-Fi), directions, or protocols.
With Knox 3.6, you can now also configure firewalls based on UNIX network interface names, for example, wlan0, wlan+, eth0, eth+. Use the following API methods:
- FirewallRule.setStrNetworkInterface — Sets a network interface name to be used in a firewall rule.
- FirewallRule.getStrNetworkInterface — Gets a network interface name to be used in a firewall rule.
For more information about defining firewalls, see Firewalls.
This release deprecates the following API methods and constants:
See also the complete list of Deprecated API methods.
For more information
To learn more about the Knox SDK, check out these resources:
Is this page helpful?
Thank you for your feedback!