Category Filter

Configure OEMConfig for Samsung devices with Knox Service Plugin

OEMConfig is a standard used for adding, creating, and customizing device-specific settings on Android Enterprise enrolled devices that address different kinds of enterprise use cases. The Knox Service Plugin (KSP) from Samsung Knox is one such OEMConfig app that allows enterprises to access all the latest Knox Platform for Enterprises (KPE) features as it gets released. The OEMConfig app enables you to reduce the time delay between a device-specific feature release and the feature incorporation into the UEM. This enables you to roll out the feature customization in no time.

To configure Knox devices with OEMConfig,

  1. Enroll your organization in the Android Enterprise.
  2. Enroll the device in the Android Enterprise (Device Owner, Profile Owner or Knox Device Owner).
  3. Approve and add Knox Service Plugin (KSP) to the Hexnode app repository.
  4. Set up the app configurations for KSP.
  5. Associate the configurations with target entities.

Add Knox Service Plugin to the app inventory

  1. On your Hexnode UEM console, navigate to the Apps tab.
  2. Click on +Add Apps > Managed Google Apps.
  3. Search for Knox Service Plugin and select the app.
  4. Click on Approve.
  5. A pop-up specifying the permissions required by the app will be displayed. Go through it and click Approve.
  6. This will take you to the Approval Settings page. Select a method by which you would handle new app permission requests. You can choose from:
    1. Keep approved when app requests new permissions: Select this to ensure that the app is kept approved in the portal even if new permissions are requested. The users will be able to install the updated app.
    2. Revoke app approval when this app requests new permissions: Select this option to remove the app from the app repository until it is reapproved when it requests new permissions.
  7. On the same pop-up wizard, navigate to the Notifications tab. To subscribe to email notifications when the approved apps request new permissions, enter the email address in the Add subscriber field and click on Add. You can add as many subscribers as you need.
  8. Click on Done.


This will add the app to the Hexnode app repository. Before deploying the OEM configurations to the devices, you have to make sure that the Knox Service Plugin is installed on the devices. You can use the remote action Install Application or the Mandatory App policy to remotely roll out the app to the devices.

Set up App Configurations for Samsung Knox devices

  1. On your Hexnode UEM console, navigate to the Policies tab.
  2. Click on New Policy to create a new policy or edit an existing policy. Provide a policy name and description (Optional) if you are creating a new policy.
  3. Go to Android > App Management > App Configurations.
  4. Click on Configure > + Add new configuration.
  5. Search and select Knox Service Plugin from the list of apps.
  6. Configure the available settings and click Done.
  7. Click on Add.

You’ll have the following features to be configured.

Basic Elements
Basic Elements Description
Profile Name Provide a unique name to identify the profile for tracking and debugging. It is recommended to use a profile name with less than 50 characters to ensure good readability.
KPE Premium or Knox Suite License key Ignore this field if you have entered your KPE Premium License key information under Admin > Knox Platform for Enterprise. Else, enter the key in this field. This is applicable for devices running Android 9.0 and Knox v3.2.1 or later.

If you don’t have a KPE Premium or Knox Suit License key, you can purchase that from a Knox Reseller.

Debug Mode Activate debug mode to view the policy association status and error messages from the KSP app on the devices. It is recommended to enable this mode during the test phase and not during the final deployment.

Device Wide Policies

Device wide policies are a group of policies and restrictions that can be applied to all devices running Samsung Knox 3.0 or later enrolled in Android Enterprise as Device Owner.

Device Wide Policies Description
DeX policy Samsung DeX is a software that helps you to extend your phone or tablet into a desktop with a USB cable.

DeX policies are a group of policies for Samsung DeX control and customization. Basic DeX control policies are free and do not require additional licenses, whereas DeX customization policies require a KPE Premium License.

Supported on devices running Knox v3.1 or later.

VPN policy Use the VPN policies to setup and configure VPN on Knox devices enrolled in Android Enterprise as Device Owner.

These features are available only with the Knox Premium license.

Firewall and Proxy policy Use these policies to setup and configure firewall and proxy on Knox devices enrolled in Android Enterprise as Device Owner. These features are available on devices with Knox v2.7 or higher with a Premium license.
Call and Messaging control Call and Messaging control allows you to manage and restrict calls and messages on your devices.
Device Restrictions Use the device restrictions policies to limit or restrict certain functionalities and operations of devices like microphone, Bluetooth, etc.

Supported on devices running Knox v2.7 or later with a standard license.

Advanced Restriction policies Control and restrict the advanced restrictions on the devices using these policies.

These features are available only with the Knox Premium license.

Firmware update (FOTA) policy Firmware update settings can be configured and managed using the set of firmware update policies using KSP.

Supported on devices running Knox v3.0 or later.

Password Policy Password policies provide a comprehensive set of features that can be used to configure and manage passwords and other authentication mechanisms on the devices.

Work Profile Policies (Profile Owner)

Work profile policies allow you to configure restrictions and policies that can be applied to the work profile of a device. For activating work profile policies, you need to have the KPE premium license and a device running Knox v3.0 or later.

Work Profile Policies Description
VPN policy Use these policies to setup and configure VPN on your Knox devices.
Firewall policy Force firewall settings on Profile Owner enrolled devices using the Firewall policies in KSP.
Restrictions in work profile Use this policy to restrict or limit the user’s access to certain features and operations on the device.

Supported on devices running Knox v2.7 or later.

Advanced restrictions in work profile Restrict the advanced features in the device work profile using the Advanced restrictions policies.
Password policy Password policies provide a comprehensive set of features that can be used to configure and manage passwords and other authentication mechanisms on the device work profile.
Application management policies Application management policies help you to manage the applications on the work profile of your devices.

Common configurations

Common configurations are a set of policies that applies to both the device level and the Knox work profile level. These features are available for devices with the KPE Premium license.

Configurations Description
DeX customization profile Set of policies to customize DeX experience of the user in both Device Owner and Profile Owner enrolled devices.
Device and Settings customization profile (Premium) This set of policies allows you to configure and customize the user interface of the device.

Applicable for devices having the KPE premium license with customization permissions.

VPN profiles (Premium) A set of policies that helps you to drive the primary and secondary VPN clients on your devices.
Firewall configuration profile Use these settings to configure the firewall on your devices.


Once the configuration is saved, you can click on the pencil icon corresponding to the app name in the App Configurations tab to modify the configured settings.

Notes:


Turn on debug mode during the initial policy deployment or while editing the policies. Else you might have to push the policy multiple number of times for it to reach the device. This is the same while revoking the policy. Also, make sure that debug mode is turned off while the device is deployed to the end-users.

Associate target devices

If the policy has not been saved,

  1. Navigate to Policy Targets.
  2. Click on Devices/ Device Groups/ Users/ User Groups/ Domains.
  3. Choose the targets and click OK and then Save.

If you have the policy saved already,

  1. Go to Policies tab and choose the desired policy.
  2. Click on the Manage drop-down and select Associate Targets.
  3. Choose the target entities and click Associate.

You can choose devices, users, device groups, user groups, and domains as the policy targets.