John
Blaine

Knox Service Plugin: Everything you need to know

John Blaine

Nov 23, 2021

9 min read

In 2019, Samsung announced its support for Android OEMConfig by launching the Knox Service Plugin. The main purpose of Knox Service Plugin was to offer its customers immediate access to existing and new features of Knox Platform for Enterprise. Today, Knox Service Plugin offers services to all Samsung devices, with plans to extend its services to other Samsung devices, wearables and displays.

Secure your Samsung devices with Hexnode UEM

So, what is Knox Service Plugin?

Samsung’s Knox Service Plugin (KSP) is a solution that allows UEM customers to access Knox Platform for Enterprise’s (KPE) latest features right after its release, through a preferred UEM solution vendor like Hexnode UEM. KSP’s automatic deployment grants IT admins access to Knox’s latest features on the day of launch, rather than waiting for their UEM to integrate the features. Hexnode UEM offers integration with Knox Service Plugin that allows users to experience over-the-air deployment and updates in Samsung devices.

Samsung Knox Validated Program: Fine-tune your mobility strategies with Samsung and Hexnode

KSP is Samsung’s OEMConfig app that use managed configurations to configure OEM-specific device features. With OEMConfig, you can create and push configurations to apps through an XML schema file in an app on Google Play, meaning any UEM in compliance with the OEMConfig standard can set up KSP.

Pre-requisites of Knox Service Plugin

  • Samsung devices that support Knox and run Android 9.0 (Knox 3.2.1) or higher.
  • Set up your devices using the following Android Enterprise deployments: Managed Device (Device Owner), Work Profile (Profile Owner), and fully managed with a work profile

KSP works with the following Android Enterprise deployment modes:

    • Android 8.0: Fully managed device deployments only
    • Android 9.0, 10.0: Fully managed device i.e., Device Owner, Work Profile, fully managed device with a work profile, and Android dedicated devices (COSU) (Corporate-Owned Single Use) mode.
    • Android 11 and higher: Fully managed devices – Device Owner (DO), Work Profile on personally owned devices, Work Profile on company-owned devices.

  • A valid Knox Platform for Enterprise (KPE) license for each of the devices managed with KSP.
    • If you want to deploy premium policies, Knox’s Premium license provides advanced security features, kiosks, and device customization.
  • For the KSP implementation of OEMConfig, you must support:

    • Advanced app restrictions: Includes multi-level nested schema to render managed configuration of KSP.
    • Feedback channel: KSP uses feedback channel to return feedback to your UEM console. This allows IT admins to monitor the configuration status, like detecting and solving errors.

  • A Unified Endpoint Management (UEM) solution that supports advanced app restrictions, feedback channel, allows OEMConfig app customization and enables auto update setting.

How does it work?

The Knox Service Plugin deployment process involves the following steps:

  1. Samsung releases the latest Knox Service Plugin Agent to the Google Play Store.
  2. From your Hexnode UEM console, go to Apps, search for Knox Service Plugin under Managed Google Apps, approve the selection and add KSP to the Hexnode app repository.
  3. The Hexnode UEM console deploys the applicable Knox features and policies using OEMConfig.
  4. Set up policies in the form of Managed app configurations, which are saved and published to the managed enterprise devices.
  5. The app settings and configurations are summarized to four categories; Basic Elements, Device Wide Policies, Work Profile Policies (Profile Owner) and Common Configurations. You can check out Knox’s example schema to know more about the configurations.
  6. When a user’s device is being provisioned, Hexnode UEM invokes the managed Google Play Store, installs KSP and pushes the managed configuration to the device.
  7. After installation, the KSP app runs in the background on the device and applies the Knox policies and returns the result of the configuration process.
  8. Samsung releases KSP updates every month, and gets updated automatically. So, devices with existing versions of KSP would receive the latest features as well, without the need to manually update the app.

What are the key features of Knox Service Plugin?

With the Knox Service Plugin, you can configure and manage various Samsung device features:

Security User authentication methods, multi-factor authentication, certificate management and DualDAR data encryption
Connections Wi-Fi, Bluetooth, cellular data, tethering, USB, developer mode, NFC, APN, enterprise billing and global proxy
VPN VPN providers, types and chaining, device scope, bypass, proxy and UID/PID metadata
App Management Notifications, battery optimization and whitelisted device admins
Customization Quick panel, battery protection and app suggestions 
Firmware Updates Over-The-Air updates, over Wi-Fi updates and recovery mode
Restrictions Power and data saver modes, external storage encryption, Dual SIMs, Microphone, Sharing, common criteria and remote control
Samsung-Dex Ethernet/MAC connection, bootup experience, desktop layout, apps available, app launch, shortcuts and DeX panel

Benefits

Samsung Knox Service Plugin provide customers access to Knox’s existing and new features as soon as they are launched commercially. Apart from this, the other benefits include:

  • Automatic Firmware Over-The-Air updates on enterprise Samsung devices.
  • Availability of all KPE features, regardless of which UEM you choose.

Knox Service Plugin helps UEM partners:

  • Remove the need for a separate app or months of development time to integrate new features to the UEM.
  • With managed configurations, UEM providers can roll out new features as soon as they’re released, with minimal development from their side. This minimizes the development cost, while ensuring that customers receive the latest updates.

Knox Service Plugin capabilities with Hexnode UEM

Device Restrictions

Enable device restriction controls: Use this control to enable or disable restriction controls for the device.

Allow Microphone: Use this setting to disable the microphone without user interaction.

Allow Wi-Fi: Use this control to allow or restrict the device’s ability to connect to Wi-Fi networks.

Allow Wi-Fi Direct: Use this control to allow or restrict the device’s ability to connect to Wi-Fi Direct networks.

Allow Bluetooth: Use this control to allow or restrict the device’s ability to make Bluetooth connections.

Allow cellular data: Use this control to allow or restrict the device’s ability to use the cellular data connection.

Allow VPN connections: Use this control to enable or disable VPN connections on the device.

Allow power saving mode: Use this control to enable or disable the device from entering the Power Saver mode automatically.

Enforce external storage encryption: Use this control to enable external storage (SD Card) encryption.

Allow user to modify Settings: Use this control to allow or restrict the user from changing the device settings.

Allow developer mode: Use this control to enable or disable the device to enter into a developer mode.

Allow camera: Use this control to enable or disable camera.

Allow USB debugging: Use this control to enable or disable the device to enter into a USB debugging mode.


Firmware update (FOTA) policy

Enable E-FOTA client installation and launch: Use this control to enable or disable installation and launch of E-FOTA client.

Enforce firmware auto-update on Wi-Fi (Premium): Use this control to enable or disable automatic firmware updates when the device is connected to Wi-Fi network.

Allow firmware update in recovery mode: Use this control to enable or disable firmware updates when the device is in recovery mode.

Allow firmware update over-the-air: Use this control to enable or disable firmware updates using Firmware-Over-The-Air (FOTA) technology.

Enable firmware controls: Use this control to enable or disable advanced firmware update options.


Password policy

Enable password policy controls with KSP: Use this control to allow management of password policies on the device.

Biometric authentication: Policies to manage the biometric authentication option without user interaction.

Enable multi factor authentication (Premium): Use this control to enable or disable multifactor authentication (2FA).

Password Change (Premium): A group of policies to manage password change.

Password Change (Premium): A group of policies to manage password change.

Maximum Failed Password Attempt to Wipe Data: Enter the maximum number of failed passwords allowed until the data in the device is wiped.

Define Password Quality: Select level of complexity you would like to define for the device password; From No Password to Complex Password (letter, numeric, alphanumeric); Numeric Complex.

Enable password visibility: Use this policy to control the visibility of Password while typing


Advanced Restriction policies (Premium)

Set USB Device Connection Type: Use this control to select the USB connection type.

Wi-Fi Advanced Detect suspicious network: A group of controls to configure WIPS to prevents unauthorized network access to local area networks and other information assets by wireless devices.

Allow dual SIM operation: Use this control to enable or disable the secondary SIM card slot on a dual SIM device.

Enable Common Criteria mode: Use this control to enable services to bring the device into the Common Criteria-evaluated configuration.

Allow remote control: Use this control to block connections to the device, using third-party remote-control apps.

Allow Bluetooth scanning: Use this control to block the device from scanning for Bluetooth devices in range to improve the accuracy of location detection.

Allow Allow Wi-Fi scanning: Use this control to block the device from scanning for Wi-Fi networks in range to improve the accuracy of location detection.

Enable Advanced Restrictions controls: Use this control to enable advanced controls on the device.


VPN policies (Premium)

Enable VPN chaining: Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile.

Manage list of apps that can bypass VPN: Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can bypass VPN and connect to the network directly.

Enable on-demand VPN: For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can use VPN connections.

Manage list of apps that use VPN: Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can use VPN and connect to the network directly.

VPN type: Choose the VPN type applicable to the apps on the device.

Enable VPN controls: Use this control to enable or disable VPN controls for the device.


With Knox Service Plugin, users have immediate access to the latest Knox features, improving workplace efficiency, safety and providing customer satisfaction worldwide.
Hexnode UEM, now a Samsung Knox validated partner, can assist IT admins in ensuring maximum productivity at the workplace.
Share
  •  
  •  
  •  
  •  
  •  

John Blaine

I like writing. And drinking water. Stay hydrated folks!

Share your thoughts