Prepare Knox for Android 11
Samsung Knox supports the new work profile on company-owned device introduced in Android 11.
Knox policies fall into two categories based on privacy guidelines:
Policies that don’t infringe on personal privacy and are available to the profile owner of the new work profile on company-owned device. For a complete list of these, see Knox policies in the personal profile.
Policies that may infringe on privacy and are not available to the profile owner of the new work profile on company-owned device.
During the Android 11 upgrade from the deprecated fully managed device with a work profile to the new work profile on company-owned device:
Device owner is disabled.
Knox policies available in the new work profile on company-owned device and called by UEMs are silently migrated to the profile owner. The profile owner retains existing Knox permissions granted through the Knox license, even though the device owner (from User 0) is disabled.
Knox polices not available in the new work profile on company-owned devices will be unset.
If you are currently using the fully managed device with a work profile that’s been deprecated in Android 11, review the Knox policies you are setting, ensure they are still Knox policies in the personal profile on the new work profile on company-owned device.
The following Knox areas are impacted by Android 11 and can result in service disruptions if not prepared properly before the Android 11 upgrade. Please read carefully and follow the recommendations.
Below are specific Knox areas to consider with regards to the upcoming changes.
A Knox license grants permission to a package in the platform. Knox permissions are of type signature and shared across users (User 0/10) for the same package.
During migration from fully managed device with a work profile to the new work profile on company-owned devices, the profile owner will retain existing Knox permissions even though the device owner from User 0 is disabled. The above is true provided the device owner and profile owner are associated with same package names.
There is a new way to call Knox SDK APIs in the new work profile on company-owned devices mode.
Similar to the work profile on a personally owned device, the profile owner for a work profile on company-owned devices can use the Knox SDK user and container scope APIs for its own user space (profile) management.
For personal profile management, the profile owner of a work profile on company-owned devices must first create a parent instance before calling a Knox policy. Use either of the following new Knox 3.7 API methods:
To call the API:
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
ApplicationPolicy obj = edm.getApplicationPolicy();
// Call Knox policy for parent
EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
AdvancedRestrictionPolicy obj = ekm.getAdvancedRestrictionPolicy();
// Call Knox policy for parent
- Only work profiles on company-owned devices can call getParentInstance, otherwise an exception will be thrown.
- Only allowed Knox APIs in the personal profile can be called, otherwise an exception will be thrown.
For details about the impact of Android 11 on individual Knox services, see:
- Knox Audit Log
- Knox Configure (KC)
- Knox Deployment App (KDA)
- Knox DualDAR
- Knox E-FOTA
- Knox firewall and domain filter
- Knox global proxy
- Knox Mobile Enrollment (KME)
- Knox Manage
- Knox Network Platform Analytics (NPA)
- Knox Sensitive Data Protection (SDP) and Samsung Email
- Knox Service Plugin (KSP)
- Knox VPNs
- Universal Credential Manager (UCM)
Is this page helpful?