Setup Knox Service Plugin – KSP

TinyMDM, validated Samsung KVP partner, seamlessly integrates Knox Service Plugin (KSP)

A. Everything you need to know about KSP

1. What is Knox Service Plugin?

Knox Service Plugin (KSP) is an OEMConfig application with which you can configure Samsung-specific features on Knox Platform for Enterprise (KPE) on devices compatible with KPE. Because TinyMDM is an approved Samsung Knox Validated Partner (KVP), IT administrators can remotely configure Samsung device settings by modifying KSP configurations in the policies and distributing them to devices. TinyMDM offers integration with Knox Service Plugin that allows users to experience over-the-air deployment and updates in Samsung devices. ou can add the KSP plugin for free to your TinyMDM account on demand, and then you will have access to all the Samsung-specific features, including the premium ones, for free.

2. Knox Service Plugin pre-requisites

• KSP is compatible with Samsung devices that support Knox and run Android 9.0 (Knox 3.2.1) or higher. You can also use devices running Android 8.0 (Knox v3.x) if you use them in a fully managed device (DO) deployment.

• A valid Knox Platform for Enterprise (KPE) license.

3. How to get a license key for free?

If you want to use a KSP plugin option that is marked as “Premium” in the configuration, you need a KPE Premium key. This key is free of charge. To get it, you need to ask a reseller to generate a KPE premium key for you: either you create a Samsung KPE account, or your reseller can do it for you. The list of possible resellers is available here, and you have to check “Knox Platform for Enterprise” in the left menu. Then you have to fill in the “samsungknox form” to get access to the KPE license.

4. What are the key features of KSP?

We summarize the app settings and configurations into four categories: Basic Elements, Device Wide Policies, Work Profile Policies (Profile Owner), and Common Configurations. Amongst the main features present in KSP:

• Security: User authentication methods, multi-factor authentication, certificate management and DualDAR data encryption
• Connections: Wi-Fi, Bluetooth, cellular data, tethering, USB, developer mode, NFC, APN, enterprise billing and global proxy
• VPN: VPN providers, types and chaining, device scope, bypass, proxy and UID/PID metadata
• App Management: Notifications, battery optimization and whitelisted device admins
• Customization: Quick panel, battery protection and app suggestions
• Firmware Updates: Over-The-Air updates, over Wi-Fi updates and recovery mode
• Restrictions: Power and data saver modes, external storage encryption, Dual SIMs, Microphone, Sharing, common criteria and remote control
• Samsung-Dex:Ethernet/MAC connection, bootup experience, desktop layout, apps available, app launch, shortcuts and DeX panel

B. Configure KSP in your TinyMDM account

1. How to start using KSP in your policies

1) Once KSP has been activated on your account (available on demand to the support or the sales team, for free, no matter the plan you are on), log in to your TinyMDM account and click on the icon to edit one of your policies.

2) Scroll down at the very bottom of the policy until you see the Samsung Knox additional controls block.

3) Click on Approve the App Knox Service Plugin button. This will automatically approve and install the Samsung Knox Plugin application in this policy.

4) Enter the profile name of your configuration and if you have one, your KPE premium ou Knox Suite License key.

5) Enable Debug Mode (it will enable the debug mode of the KSP app, not of the devices themselves).

6) Navigate the KSP configuration and make your changes. No need to save, everything you do is saved automatically. If you need to delete a configuration and go back to the default config, click on the icon . If you have any interrogation about the purpose of some settings, just hover the title or the text to have more information.

2. A few useful examples

Example 1, forbid Wi-Fi scanning or Bluetooth scanning on the devices:

– Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
– Also check the box Enable Advanced Restrictions controls in the sub-part Advanced Restriction policies (Premium) in order to activate the sub-part.
– Then you can untick the boxes Allow Wi-Fi scanning and Allow Bluetooth scanning in order to forbid those.

Example 2, turn off the devices after a certain inactivity timeout

– Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
– Open the sub-part Device Controls and the sub-sub-part Battery Optimization (Premium).
– Check the box Enable battery optimization and enter the duration of inactivity before shutting down the devices, in seconds (minimum 600sec which is 10min).

Example 3, hide some settings in the Setting app

– Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
– Open the sub-part Device settings (premium) and check the box Enable device settings controls in order to activate the sub-part.
– Check the boxes of the parts you want to hide in the Settings app of the devices (Hide Back and Reset, Hide Settings Wi-Fi…).

And many more! If you have any questions, please have a look at the Samsung Documentation. If you feel something is not working the way it’s supposed to, don’t hesitate to contact our support team through the Support tab of your TinyMDM account.