Setup Knox Service Plugin – KSP

TinyMDM, validated Samsung KVP partner, seamlessly integrates Knox Service Plugin (KSP)

A. Everything you need to know about KSP

1. What is Knox Service Plugin?

Knox Service Plugin (KSP) is an OEMConfig application with which you can configure Samsung-specific features on Knox Platform for Enterprise (KPE) on devices compatible with KPE. Because TinyMDM is an approved Samsung Knox Validated Partner (KVP), IT administrators can remotely configure Samsung device settings by modifying KSP configurations in the policies and distributing them to devices. TinyMDM offers integration with Knox Service Plugin that allows users to experience over-the-air deployment and updates in Samsung devices.

Just ask your TinyMDM contact or the technical support team to activate the KSP option on your account. This option is added free of charge upon request.

2. Knox Service Plugin pre-requisites

KSP is compatible with Samsung devices that support Knox and run Android 9.0 (Knox 3.2.1) or higher. You can also use devices running Android 8.0 (Knox v3.x) if you use them in a fully managed device (DO) deployment.

3. What are the key features of KSP?

We summarize the app settings and configurations into four categories: Basic Elements, Device Wide Policies, Work Profile Policies (Profile Owner), and Common Configurations. Amongst the main features present in KSP:

  • Security: User authentication methods, multi-factor authentication, certificate management and DualDAR data encryption
  • Connections: Wi-Fi, Bluetooth, cellular data, tethering, USB, developer mode, NFC, APN, enterprise billing and global proxy
  • VPN: VPN providers, types and chaining, device scope, bypass, proxy and UID/PID metadata
  • App Management: Notifications, battery optimization and whitelisted device admins
  • Customization: Quick panel, battery protection and app suggestions
  • Firmware Updates: Over-The-Air updates, over Wi-Fi updates and recovery mode
  • Restrictions: Power and data saver modes, external storage encryption, Dual SIMs, Microphone, Sharing, common criteria and remote control
  • Samsung-Dex:Ethernet/MAC connection, bootup experience, desktop layout, apps available, app launch, shortcuts and DeX panel

B. Configure KSP in your TinyMDM account

1. How to start using KSP in your policies

1) Ask the support or sales team to activate KSP on your account. KSP is available on demand, for free, no matter the plan you are on.

2) Log in to your TinyMDM account, go to the Policies tab and click on Edit to modify the policy of your choice:

3) Scroll down at the very bottom of the policy until you see the Samsung Knox additional controls block.

4) Click on Approve the App Knox Service Plugin button. This will automatically approve and install the Samsung Knox Plugin application in this policy.

KNOX

5) Enter the profile name of your configuration and if you have one, your KPE premium ou Knox Suite License key but it is not mandatory to use the features.

Note: a KPE premium key is only mandatory if your devices are running Android 12 or older versions AND you want to use the premium features. On devices running Android 13 or newer versions, premium features are available without entering a KPE premium key.

6) Enable Debug Mode (it will enable the debug mode of the KSP app, not of the devices themselves).

7) Navigate the KSP configuration and make your changes. No need to save, everything you do is saved automatically. If you need to delete a configuration and go back to the default config, click on the icon . If you have any interrogation about the purpose of some settings, just hover the title or the text to have more information.

KSP plugin

2. A few useful examples

Example 1, forbid Wi-Fi scanning or Bluetooth scanning on the devices:
  • Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
  • Also check the box Enable Advanced Restrictions controls in the sub-part Advanced Restriction policies (Premium) in order to activate the sub-part.
  • Then you can untick the boxes Allow Wi-Fi scanning and Allow Bluetooth scanning in order to forbid those.
ksp example
Example 2, turn off the devices after a certain inactivity timeout
  • Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
  • Open the sub-part Device Controls and the sub-sub-part Battery Optimization (Premium).
  • Check the box Enable battery optimization and enter the duration of inactivity before shutting down the devices, in seconds (minimum 600sec which is 10min).
ksp example
Example 3, hide some settings in the Settings app
  • Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
  • Open the sub-part Device settings (premium) and check the box Enable device settings controls in order to activate the sub-part.
  • Check the boxes of the parts you want to hide in the Settings app of the devices (Hide Back and Reset, Hide Settings Wi-Fi…).
ksp example

And many more! If you have any questions, please have a look at the Samsung Documentation. If you feel something is not working the way it’s supposed to, don’t hesitate to contact our support team through the Support tab of your TinyMDM account.

Before setting up your configuration, please note the following recommendations:

  • These options are provided by the manufacturer, Samsung, and are not managed directly by TinyMDM. We will therefore not be able to take into account requests to add new options or changes in the organization or language of the options.
  • Some of these Samsung options are identical to options already present in the TinyMDM policy you’re used to (e.g. the ability to disable Bluetooth use). Please do not set these options in the Samsung configuration to avoid conflicts on your devices.
  • Many of these Samsung options can be used to block important device settings. We therefore urge you to use them with caution, bearing in mind that if a device is no longer connected to the Internet and these options cannot be restored to their original state, the device will be unusable. As these options are not managed directly by TinyMDM, we cannot intervene to unblock a device in this situation.