How to configure and distribute Knox Service Plugin to Samsung devices?

Description

Knox Service Plugin (KSP) is an OEMConfig app with which you can configure Samsung specific features on Knox Platform for Enterprise (KPE) enabled devices. With Mobile Device Manager Plus, IT Admins can remotely configure Samsung device settings by modifying the KSP configurations on the MDM console and distributing it to the devices. 

Pre-requisites

  1. Samsung devices running Android 8.0 or above with Knox 3.0 or later, if enrolled as Device Owner or devices running Android 9.0 or later with Knox 3.2.1 or above when enrolled as Profile Owner.
  2. Managed Google Play should be configured.

Steps

Follow the steps given below, to configure the app with the configuration:

  • On the MDM console, click on Device Mgmt -> App Repository -> Add App -> Add Play Store Apps and search Knox Service Plugin. 
  • Click on Approve.
  • Preview the app permissions required by KSP app and click on Approve.
  • Configure the approval settings, as to whether you want new app permissions to be updated automatically or prevent app installation until the app permissions have been updated manually. Additionally, you need to specify the e-mail address to be notified of the new app permissions. Click Done to finish the approval.
  • After approving the apps, click on Save and Sync to add the approved apps to your App Repository.
  • Click on Profiles -> Create Profile -> Android -> OEM Configurations
  • Select Knox Service Plugin as the OEM Configurations app and click on Continue.
  • On the set-up screen, you will find a list of fields where you can enter values to the configurations you want to apply.
PARAMETER DESCRIPTION
Profile name

Provide a name for the profile.

KPE Premium License key

Enter your Knox Platform for Enterprise (KPE) License Key. You can purchase KPE License from a Knox reseller.

Debug Mode Enable or disable Debug Mode to know the status of the policies distributed to the device. It is recommended to enable this only during the test phase.
Device-wide policies (Device Owner) Enable or disable this option to apply global group of policies and restrictions that are applicable to all users of the device. Supported in Knox 3.0 and above.
DeX policy Enable or disable DeX mode controls for the device, including managing DeX restrictions, and customization of the DeX experience for the user. Supported for Knox v3.1 or higher.
Customize DeX Experience Enable customization of DeX mode. Supported for devices running Knox v3.1 or higher with a KPE Premium license.
DeX customization profile Provide a DeX profile name . This profile name must match the value set as the "DeX profile name" in the DeX customization profile section.
VPN policy (Premium) Enable or disable VPN setup and configuration. Applicable for devices provisioned as "Device Owner" with or without a Work Profile. Applicable for all Knox versions with a KPE Premium license.
VPN type Choose the VPN type applicable to the apps on the device. For Device Owner devices without a Work Profile, choose between Device-wide or Selected Apps. For devices with a Work Profile, choose between Device-wide, Work Profile only or Selected Apps.
Manage list of apps that use VPN Enter a comma separated list of Bundle IDs of the apps that must connect to VPN. To use VPN for all apps, do not enter any app names. By default all apps will be added.
Enable on-demand VPN Configure VPN on-demand to allow specified apps to connect to VPN. When no apps are in use, VPN is terminated. By default, all apps use VPN on-demand.
Manage list of apps that can bypass VPN Enter a comma-separated list of Bundle IDs to specify apps that can bypass VPN connections. To allow all apps to use the VPN, do not enter any app names.
Firewall and Proxy policy Enable or disable policies for firewall setup and configuration. Applicable for all Knox versions. Enter the name of the primary firewall configuration profile that apps can use for network connections.
Enable Proxy on device Enable or disable a global proxy on a device that routes all internet traffic through the specified proxy server. You can provide a proxy server address or a proxy auto-config (PAC) file.
Call and Messaging control Enable or disable the phone call and text messaging functionality on the device.
Manage RCS messaging Enable or disbale RCS (Rich Communication Services) to allow messaging to be more interactive with features such as group chats, video, audio, and high-resolution images.
Set disclaimer text for messages Set a disclaimer text limited to 30 characters, with all the outgoing SMS and MMS from the device.
Device Restrictions Allow or block specific operations such as Microphone, WiFi, Bluetooth, Cellular data, Camera, etc., on the user's device. Supported in Knox v2.7 or higher with a Standard license.
Tethering controls Allow or block types of tethering such as WiFi, USB and Bluetooth tethering on the device
Advanced Restrictions policy (Premium) Manage advanced restriction policies such as WiFi scanning, Remote Control, dual SIM operation, etc. A KPE Premium license is required for all policies in this group.
Firmware update (FOTA) policy Allow or block firmware updates using Firmware-Over-The-Air (FOTA). Applicable for Knox v2.0 or higher.
Password policy Manage password policies and set up password restrictions on the device, including enabling or disabling biometric or multi-factor authentication methods to log in to the device.
Application management policies Enable or disable advanced application management settings. Allow or exempt applications from battery usage optimizations or from showing notifications on the status bar.
Device Admin whitelisting Allow Device Administrator (DA) privileges to the specified apps when KSP is installed on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is installed.
 Device customization controls Allow customization of the device user interface. Applicable for KPE Premium license with Customization permissions.
Device controls Manage device controls, such as APN settings, NFC, WiFi, Bluetooth policies, etc.
Device Key Mapping (Premium) Enable or disable this option to map hardware keys to specific actions.
Enterprise Billing Policy (Premium) Enable or disable separate bill generation for personal and enterprise data usage, accomplished by routing respective traffic through 2 different APNs on a device. Before enabling, verify if Enterprise billing is supported by your network operator.
Universal Credential Manager policy (Premium) Manage credentials in both external and internal device storage and enable or disable device unlock through a UCM plugin.
 Certificate management policies (Premium) Enable or disable certificate management settings for the device. You can add trusted CA certificate, disable or restrict certificates, enable certificate revocation to check the validity of certificates, etc.
Work profile policies (Profile Owner) Enable to apply policies and restrictions to the Work Profile on the device. Restrict or allow addings apps from personal space to Work Profile and vice versa. You can also customize Work Profile and personal tab name.
RCP policy (Premium) Configure application-level policies for syncing data within a Work Profile container. Allow or restrict moving files from personal space to Work Profile and vice versa.
VPN policy (Premium) Configure VPN for the apps in the Work Profile. Applicable for all Knox versions with KPE Premium license.
Firewall policy (Premium) Configure Firewall for the apps in the Work Profile. Applicable for all Knox versions.
Restrictions in work profile (Premium) Allow or block microphone, Camera or Share Via in the Work Profile. Applicable for Knox v2.7 or higher with a Standard license.
Advanced restrictions in work profile (Premium) Manage advanced restriction policies such as remote control on the Work Profile.
Password policies (Premium) Configure password policies for the Work Profile, including enabling or disabling biometric authentication, enforcing passcode change and defining password complexity.
Application management policies (Premium) Configure policies and manage applications inside the Work Profile on the device.
Device Admin whitelisting (Premium) Manage Device Administrator (DA) privileges to specific apps in the Work Profile, when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
Enterprise Billing policy (Premium) Enable or disable separate bill generation for personal and enterprise data usage, accomplished by routing respective traffic through 2 different APNs on a device. Before enabling, verify if Enterprise billing is supported by your network operator.
Universal Credential Manager policy (Premium) Manage credentials in both external and internal device storage and enable or disable device unlock through a UCM plugin.
Dual Data-at-rest (DAR) Encryption (Premium) Enable or disable Dual DAR settings for the Workspace. Applicable for devices with Dual DAR version 1.1 or above and only when Dual DAR has already been setup for the Workspace using MDM or via Knox Mobile Enrollment (KME) portal. KPE Premium license with Dual DAR add-on is needed to use this feature.
Certificate management policies (Premium) Enable or disable certificate management settings for the device to add trusted CA certificate, disable or restrict certificates, enable certificate revocation to check the validity of certificates, etc.
Network Platform Analysis (NPA) (Premium) Enable or disable and configure NPA clients to collect network activity data on the device. Available with KPE Premium license.
Audit Log (Premium) Enable or disable audit logging on the device. Available with KPE Premium license.
Device Account policy (Premium) Enable or disable device account addition policies. Available with KPE Premium license.
DeX customization profile Customize Samsung DeX experience for the user. Set home alignment, DeX wallpaper, loading logo and screen timeout. Available with KPE Premium license.
Add application shortcuts on DeX Add shortcuts to one or more apps on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid.
Add URL shortcuts on DeX Add shortcuts to one or more URLs on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid.
Device and Settings customization profile (Premium) Configure and customize the device user's experience. Available only with KPE Premium license with customization permissions.
Samsung keyboard controls Enable or disable Samsung's built-in keyboard and configure the same.
Quick panel configuration Customize Quick Settings Panel. Choose the shortcuts to be shown in the Quick Settings Panel on the device.
Lockscreen customization Allow or disable customization of UI shortcuts available on the device’s lockscreen. Available with KPE Premium license.
Configure values in settings menu Customize the device settings menu that are part of the Deep Settings Customization feature. Applicable for devices with KPE Premium licenses, with Knox v3.4 and higher. Support for individual settings varies based on the device's model and OS.
VPN profiles (Premium) Configure the VPN profile. You can define up to two VPN profiles that are used for VPN Chaining. Available with KPE Premium license.
Proxy Configure the proxy server to be used with this VPN profile.
USB Tethering Configure USB tethering over VPN. Ensure that USB tethering is enabled in Restrictions Profile in MDM and the USB device being connected is allowlisted. Manually allow USB tethering feature on the device.
Firewall configuration profile Configure firewall profile. Ensure you provide the same name specified in the firewall policy section. Specify the network connections allowed or denied on the device. You can also specify when and how firewall access requests are re-routed and how traffic to and from specific domains is handled.
Manual Proxy configuration Configure the global proxy server by entering the server name, host and port.
Proxy auto-config (PAC) Specify the Proxy auto-config (PAC) URL, the server name, port details, authentication configurations
APN configurations Specify Access Point Name configurations including APN name, type, authentication type, etc. Contact your mobile service provider for the configuration details. Note: An APN configuration works on the device only when a compatible SIM card is used.
Certificate (Premium) Configure Certificate and specify the characteristics of the certificate installation. Available with KPE Premium license.
UCM Plugin configurations (Premium) Specify the configuration of UCM plugins that can access credential storage. Available with KPE Premium license.
NPA Data Points profile (Premium) Enable or disable Network Platform Analytics (NPA) data points configuration at a device-wide or Work Profile level and configure NPA Data Points configuration profile. Ensure you use the name specified in the NPA profile name value. Applicable for Knox v3.3 or higher. 
RCP Data Sync profile configurations (Premium) Enable or disable RCP Policy data sync configurations at a Work Profile level. Select applications allowed to sync data and specify data sync property you want to apply on the application.
Allowed apps for reading private keys Configurations (Premium) Enter the Bundle IDs of apps that are allowed to access private keys configurations.
Allowed USB devices for Applications Configurations (Premium) Specify the applications allowed to access USB Devices.
Advanced WiFi configurations (Premium) Configure advanced Wi-Fi settings such as Wi-Fi Roam Trigger, Roam Delta, Roam Scan Period, etc.
Device Key Mapping to Launch and Exit application Configurations (Premium) Configure Key Mapping to launch and exit the specified app.
Device Account Policy configuration Enable or disable Device Accounts policies. Add Account and Account Type to Addition Blocklist in order to block users from adding the specified accounts.

 

  • Make use of dynamic variables to ensure that these configurations can be applied to all the users. Dynamic variables fetch the respective value that has been assigned to the device.
  • Once you have entered the values and made all the changes, click Save.
  • The Profile can now be distributed to the devices and Groups.

For more information, refer here.