- Welcome
- Basics
- Device apps
- Overview
- SDK Licenses
- Knox SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Package / class overview
- Full API Reference
- Deprecated API methods
- Features
- Sample Apps
- Overview
- Get started with the Knox SDK
- Get started with KPE Premium licenses
- Knox and Android Work Profiles
- Knox Attestation
- Kiosk Mode
- Samsung DeX Mode
- Knox Container
- Knox SDK Backwards Compatibility
- Application Management
- Microsoft Exchange Accounts
- VPN Configuration
- Client Certificate Manager (CCM)
- Tools
- FAQs
- FAQ Index
- General
- What is the Samsung Knox SDK?
- Where can I obtain a white paper for Samsung Knox?
- What versions of Android support the Knox SDK?
- How can I check if my device firmware is an engineering or commercial build?
- How can I access the binaries before they are released?
- What is a deprecated API method?
- What are the features by default set to hidden/disabled in ProKiosk mode?
- What are credentials?
- What is Knox TIMA CCM?
- Is Knox supported on other platforms, such as windows?
- Which hardware control features can be managed inside Knox Workspace, using the Knox SDK?
- Why do a few Knox SDK APIs not work on some devices?
- Can Google Play used to deploy Knox apps?
- Can I use managed configurations for Samsung Knox features?
- Can a third-party app use the Knox SDK to get LDAP information?
- How do I enable users to select a 3rd party keyboard?
- How does my device's serial number change with Knox 3.2.1?
- If I don’t use the UCM APIs of the Knox SDK, what are my options for credential storage?
- Installation
- How do I use an SDK packaged as an Eclipse IDE add-on with the Android Studio IDE?
- Is it possible to install an app silently on a device using Knox SDK?
- Why am I still able to download an app even though I have added it to blacklist with the method addAppPackageNameToBlackList(), from the Knox SDK?
- How can an app find out which apps are installed in and outside a container, using the Knox SDK?
- How can an app block the installation of a non-trusted app, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- Can I prevent an end user from installing certificates, with the Knox SDK?
- Does API method installApplication(String packageName) download apps from the play store and install them silently?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- Why is the installCertificate API method not successfully installing a certificate on my device?
- Licensing
- How do I use license keys?
- What is the KPE Premium license key and why should I use it?
- What is the backwards compatible key?
- When do I need to use the backwards compatible key?
- Do I need to associate my app with a backwards compatible key?
- How have license key names changed?
- When is the ELM key service terminated?
- What will happen to existing commercial KLM license keys?
- What will happen to existing commercial ELM license keys?
- What should I do if I want to service my app which uses ELM?
- Would the legacy ELM and KLM keys still work with the Knox Platform for Enterprise (KPE) key?
- Which keys can be used in combination with each other?
- What is automatic license seat release?
- What are license permissions?
- What is the difference between Standard and Premium permissions?
- How do I declare permissions?
- Customization
- SDP
- UCM
- Samsung DeX
- Containers
- How does an app detect if a container was created using the Knox SDK?
- How do I install the MDM agent inside the Knox container?
- I have created a "container only mode" container and I am locked inside, using the Knox SDK. How do I exit?
- Why do I get error KnoxContainerManager.ERROR_INTERNAL_ERROR(-1014) while creating a container?
- ELM end of service
- KBAs
- Deprecations
- DA Deprecation
- DA deprecation
- DA deprecation and Samsung
- DA deprecation and VMware
- FAQs
- FAQ Index
- What is DA Deprecation?
- What is being deprecated with device admin?
- What is API level 29, as it relates to DA deprecation?
- What is the impact of DA deprecation to Knox?
- As a Knox partner, what do I need to do?
- What happens to DA apps when upgraded to Android Q?
- When can I safely upgrade to Android Q?
- What if a device already has Android Q?
- Can my DA app coexist with a UEM app running as DO?
- Are there changes to Knox Configure due to DA deprecation?
- Can I use my DA app alongside Knox Configure?
- Does KME still support device enrollment using DA?
- As DA is not in Android Q, can I enroll via KME to Work Profile?
- DA Deprecation
- Knox Tizen SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- How is Tizen related to Knox?
- Which devices support the Knox Tizen SDK for Wearables?
- What version of the Tizen SDK should I install before installing the Samsung Knox Tizen SDK for Wearables?
- Should I install any extension SDK before installing the Samsung Knox Tizen SDK for Wearables?
- What are the modes in which you can use the Samsung wearable device?
- What are the supported Wi-Fi security types?
- How do I get the attestation blob?
- What is a nonce and why is it valid for a short time period?
- What is ProKiosk mode?
- Licensing
- Samsung EDU SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorial
- Features
- API Reference
- Sample App
- FAQs
- FAQ Index
- General
- What is Samsung EDU SDK ?
- Which devices support the Samsung EDU SDK?
- Who does Samsung EDU SDK benefit?
- How does Samsung EDU SDK benefit 3rd party developers?
- What features can I implement with Samsung EDU SDK?
- How many students can EDU SDK support in a single session?
- What agents are supported in EDU SDK?
- What is a Custom agent?
- Can a teacher lock a student's device?
- Licensing
- Usage
- Can the EDU SDK be used with non-Samsung devices?
- Can Samsung EDU SDK be used in both tablets and smartphones?
- Does EDU SDK work with AllShare cast?
- Does the Samsung EDU SDK have any limitations when used remotely?
- How do I capture logs from a device to submit to technical Q&A?
- What is BaseAgent?
- What is the Smart graph feature? How can it be used?
- Samsung India Identity SDK
- Overview
- About the SDK
- What's new
- Get started
- Features
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- Installation
- Licensing
- Usage
- How do I verify if my device supports Samsung India Identity SDK?
- Should I capture the IRIS image of one or both eyes?
- When do I use the UIDAI Staging server and UIDAI Production server?
- What are the URLs that need to be whitelisted for enterprise-managed devices using the Samsung India Identity SDK APIs?
- Who is impacted by the upgrade of the biometric public devices to registered devices?
- Is there any hardware change required to upgrade the public devices to registered devices?
- What are the application (APK) changes required to upgrade the public devices to registered devices?
- Web services
- Overview
- Cloud Authentication
- Knox Deployment Program
- Knox Mobile Enrollment
- Knox Configure
- Knox Attestation
- Knox E-FOTA
- Overview
- About Knox E-FOTA
- What's new
- Get started
- Tutorial
- API Reference
- FAQs
- FAQ Index
- General
- What is Knox Enterprise FOTA (E-FOTA)?
- What are the main features of Knox E-FOTA?
- What industries benefit from Knox E-FOTA?
- Why do enterprise customers need Knox E-FOTA?
- What benefits do MDM developers get from Knox E-FOTA?
- What Samsung devices support Knox E-FOTA?
- Is there a server dedicated to Knox E-FOTA?
- If I sent a request in JSON for Knox E-FOTA, will I receive a JSON return instead of XML?
- Can I use Knox E-FOTA v1 APIs in combination with Knox E-FOTA v2 APIs?
- What is the main difference between FOTA and Knox E-FOTA?
- What types of firmware updates does Knox E-FOTA manage?
- With FOTA, can you skip a firmware version and upgrade to the subsequent version?
- Can I use Knox E-FOTA to set the highest firmware version allowed on multiple devices?
- Does Knox E-FOTA support firmware downgrades?
- Do customers need to have a contract with Samsung to use a site license for Knox E-FOTA?
- How can the FOTA server identify devices that use Knox E-FOTA?
- What are the device requirements for a Knox E-FOTA update?
- Are there any restrictions on what firmware can be downloaded using Knox E-FOTA?
- How can I get release notes for Samsung firmware releases?
- What if a firmware update is performed on a device that has a higher firmware version than the update?
- Is there a way to avoid incurring mobile charges when using Knox E-FOTA?
- What licenses are required to use Knox E-FOTA?
- Can carrier devices use Knox E-FOTA?
- Installation
- Usage
- If I don’t use Knox E-FOTA, what are my options for managing firmware?
- When using Knox E-FOTA, what if a device already has a firmware version higher than the version that we need to update to?
- When using Knox E-FOTA, does a forced firmware update still ask the device user to agree to the update?
- Where can I get release notes for each Samsung firmware version?
- Appendix
- Managed configurations
- Introduction
- Deploy managed configurations
- FAQs
- FAQ Index
- What are managed configurations?
- Why should I use managed configurations?
- How do managed configurations work?
- Can I use managed configurations for Samsung Knox features?
- What is a managed configurations XML schema file?
- Which Samsung apps support managed configurations?
- How do I deploy managed configurations on an MDM console?
- Where can I get the XML schemas for Samsung apps that support managed configurations?
- Is there sample code showing how an MDM web console can deploy an iframe that renders a managed configurations XML schema?
- What email app is preloaded on Samsung devices?
- Knox Service Plugin
- Samsung Email
Knox Service Plugin
If you are not already familiar with the Knox Service Plugin (KSP), browse the KSP Admin Guide and Release Notes.
Minimally, to support managed configurations, you can use an iframe to display configurable settings, as described in Deploy managed configurations. To support the KSP implementation of OEMConfig, you must support the following:
- advanced app restrictions-including multi-level nested schema to render managed configuration of KSP. Note the special considerations in Schema section that follows, and ensure support for these features.
- feedback channel-based on an SDK provided by Google, to fetch results back from the KSP Agent and display them on your web console.
Schema
Considering the extensive Samsung Knox feature set, readability and usability is a major concern. To address potential usability concerns, KSP uses a schema with up to four nesting levels with a combination of:
<bundle><bundle_array>- one of the basic types:
boolean,string,integer,choiceandmulti-select
In particular, you should note that the OEMConfig (advanced app restrictions) schema relaxes the constraints that a normal application restrictions schema places on applications that have managed configurations. For example, a bundle can exist outside of a bundle_array and more than two levels of nesting is allowed.
The image below shows the high level categories of policies and common configurations. It has four main components.
- Basic elements-General operational controls for KSP. For example, turn on debug mode or input a KPE license key.
- Device-wide policies section-Device Owner (DO) policy controls. These are of global scope.
- Work profile policies section-Profile Owner (PO) policy controls. These apply to only the Knox Workspace.
- Configurations-Specific configuration properties that are used in conjunction with policy controls. For example, VPN profile settings, APN settings, or DeX customization settings. These can be used on either device-wide policies or work profile policies.
You can set up a simple iframe to show the KSP schema file. For details, see the General Steps. Here is an example of how the KSP schema looks:
Note a few salient points on the schema and elements used by KSP:
- Uses 4 levels of nesting in its schema, which the MDM console should be able to parse and handle while rendering the UI.
- Uses an element of hidden restriction type (for example,
android:restrictionType="hidden") that the MDM console should not display to the user, but must pass to the device along with the rest of managed configuration data to KSP. An example of this type of data isschema version, which helps KSP recognize and parse the incoming data elements appropriately. - Uses the following types of bundles:
- Bundle within bundle-Biometric authentication inside Password policy
- Bundle-array within bundle-Application shortcuts within DeX Configuration
- Bundle within a Bundle-array-Single VPN profile within VPN Profiles array
- Specifies default values for elements of type Boolean, String, Integer, Choice and Multi-select. The MDM console should honor these values when loading the schema from Play store to render UI for customers.
Use models
The KSP Agent supports Android Enterprise deployments based on DO, PO, and COMP modes. However, KSP does not support legacy deployments such Knox Workspace Corporate Liable (CL) and Container Only Mode (COM).
| Deployment Mode | Supported OS version |
| DO mode | Android O and above, with Knox 3.x |
| PO and COMP mode | Android P and above, with Knox 3.2.1 |
Use cases to test
We suggest testing your system with following KSP use-cases:
- Use the console to find the KSP Agent in the Google Play store, set up, and save Knox policies using the agent.
- Publish the policy to one or more devices. Install the KSP on target device and upon launch it will execute the Knox policies.
- Use the console to modify an existing policy and push an updated policy to an already provisioned device.
- Check operation on a device with Android P and optionally on a device with Android O.
- Check operation by deployment mode: DO and PO.
- If the MDM supports a feedback channel, then also test that results from KSP are received and displayed on the console.
Additional recommendations
There are a few additional recommendations to consider when supporting KSP, including:
- Support OEMConfig apps differently on the MDM console, as compared to normal applications that support managed configurations. This is because some steps and options typically supported for normal apps such as enforce VPN may not apply for OEMConfig app.
- We strongly recommend enabling the auto update setting for the OEMConfig apps. This reduces issues when an IT Admin uses a newer version of KSP to set a policy on the console, while some of the managed devices use an older version of KSP, and consequently cannot apply the policies.
- Restrict users from deleting individual policies or policy groups on the console, as this might cause issues in subsequent policy updates if a user wants to add back a deleted policy.
- Include all the elements in the managed configuration data pushed to KSP, even if IT admin did not modify some policies while editing the configurations. KSP can then correctly identify delta and interdependencies.
- Remember to not show hidden restriction types to users. Hidden restrictions are reserved for the MDM backend and/or KSP only.
- An MDM Agent that supports KPE Premium License activation should continue to do it.
License handling
KSP supports license activation but there are nuances in the behavior. KSP cannot deactivate license since DO or work profile un-enrollment most often involves wiping device data including the KSP application. In such cases, the license seat is usually released by Knox license service with Automatic Seat Release mechanism after a 60-day inactivity period.
To enable seamless experience for IT Admins and to ensure that Android O devices can also benefit from KSP:
- We recommend that you continue to support the KPE Premium License on the console along with activation and deactivation in their device agent, as they have in the past.
- As recommended by Google, MDMs call
wipeDatafollowing DO and PO un-enrollment.
KSP app for reference
As part of OEMConfig development, you can refer the KSP app published at https://play.google.com/store/apps/details?id=com.samsung.android.knox.kpu. This can help test console UI and deliver managed configurations to the KSP app using the Managed Google Play store.
To try out the KSP app, follow these steps. For detailed steps on how to set up policy and test, refer to the KSP Basic Examples.
- On the console:
- Use managed Play store to search for Knox Service Plugin and add it to the list of approved apps
- Set up a Knox policy as managed configuration. The exact steps depend on the MDM console. To see how to set up KSP in different MDM consoles, see the KSP Admin Guide.
- Save the configuration and publish to one or more test devices, running Android O or P and DO deployment.
- On the test device running Android P (with Knox 3.2.1 or above):
- Follow the normal device provisioning steps required for the MDM.
- Verify that the KSP app is installed by the Google Play store client.
- If verbose mode is enabled, then check that KSP agent shows a log printed on UI to confirm that managed configuration is received correctly.
- If verbose mode is off, then check that KSP shows a notification indicating that Knox policies are processed successfully.
- If the test device is running Android O (with Knox 3.x):
- Follow the normal device provisioning steps required for the MDM.
- Verify that the KSP app is installed by the Google Play store client.
- Manually launch the app.
- Click on Apply latest policies.
- Check the log on the UI to confirm that managed configuration is received correctly.
