What is KSP
On this page
The Knox Service Plugin (KSP) is a channel that enables Enterprise Customers—through the use of their chosen UEM partner console—to use Knox Platform for Enterprise features as soon as they are commercially available. This automatic deployment method ensures that IT admins can use the latest Knox features on the day it is launched, instead of waiting for their UEM to specifically integrate the features
Knox Platform for Enterprise (KPE) brings defense-grade security on the most popular consumer devices to all enterprises. It provides best-in-class hardware-based security, policy management, and compliance capabilities beyond the standard features in Android. Knox is the cornerstone of a strong mobile security strategy supporting a wide variety of Samsung devices.
This section introduces you to the Knox Service Plugin (KSP), explains how it works and outlines the architecture and deployment process.
KSP provides the following benefits:
- Help enterprise customers deploy existing and new Knox features to their devices almost instantly after features are commercially launched.
- Leverage the UEM’s framework and UI to offer enterprise customers better control over distribution and configuration of KPE features.
- Make sure all features of KPE are available for use, regardless of which UEM you choose.
- Minimize a UEM's development cost of supporting KPE features.
How it works
KSP is built on top of Android's new OEMConfig. This is a feature that allows you to remotely push configurations to apps through an schema file that is hosted in an app on Google Play. This means that any UEM that complies with the OEMConfig standard can support KSP. Here is an overview of how it works.
- App developers implement logic to support managed configurations in their apps. They define which app settings can be remotely configured in an XML schema file in their Android app. This schema is linked to the app’s manifest file. Once done, app developers push their app to Managed Google Play.
- UEM developers implement logic to pull the managed configurations schemas from apps on Managed Play. These schemas can then be used to allow IT admins to specify how they want to configure app settings. After the IT admin saves their configuration, the MDM pushes the configuration to Managed Google Play.
- Once an app configuration is updated and pushed to Managed Google Play, the app is updated on all applicable devices to reflect the new configuration.
Here is an example of a KSP policy in a UEM console. Note that the various implementation, appearance and menu structure of how these policies look may vary depending on which UEM you are using.
The KSP deployment process is as follows:
- The latest KSP Agent is published by Samsung to the Google Play store.
- IT Admins use their compatible UEM console (that supports a managed Google Play store) to search for KSP.
- The UEM Console renders the applicable Knox features and policies using OEM Config.
- IT Admins use the UEM console to set up policies in the form of Managed Configurations. These are then saved and published to any managed enterprise devices.
- When a user's device is being provisioned, the UEM invokes the managed Google Play Store, which in turn installs KSP and pushes the managed configuration to the device.
- After installation is complete, KSP runs in the background on the device. KSP applies the relevant Knox policies and returns the result of the configuration process using Google's Feedback SDK.
- IT Admins can view any configuration failures and associated error messages on the UEM Console, provided the UEM is equipped to handle the result that KSP generates and sends back using the feedback SDK.