TinyMDM, validated Samsung KVP partner, seamlessly integrates Knox Service Plugin (KSP)

samsung KVP

A. Everything you need to know about KSP

What is Knox Service Plugin?

Knox Service Plugin (KSP) is an OEMConfig application with which you can configure Samsung-specific features on Knox Platform for Enterprise (KPE) on devices compatible with KPE. Because TinyMDM is an approved Samsung Knox Validated Partner (KVP), IT administrators can remotely configure Samsung device settings by modifying KSP configurations in the security policies and distributing them to devices. TinyMDM offers integration with Knox Service Plugin that allows users to experience over-the-air deployment and updates in Samsung devices. KSP plugin can be added for free on your TinyMDM account, on demand, then all the Samsung-specific features, even the premium ones, will be available for free.

Knox Service Plugin pre-requisites

  • KSP is compatible with Samsung devices that support Knox and run Android 9.0 (Knox 3.2.1) or higher. You can also use devices running Android 8.0 (Knox v3.x) if you use them in a fully managed device (DO) deployment.
  • A valid Knox Platform for Enterprise (KPE) license.

How to get a license key for free?

If you want to use a KSP plugin option that is marked as “Premium” in the configuration, you need a KPE Premium key. This key is free of charge. To get it, you need to ask a reseller to generate a KPE premium key for you: either you create a Samsung KPE account, or your reseller can do it for you. The list of possible resellers is available here, and you have to check “Knox Platform for Enterprise” in the left menu. Then you have to fill in the “samsungknox form” to get access to the KPE license.

What are the key features of KSP?

The app settings and configurations are summarized to four categories: Basic Elements, Device Wide Policies, Work Profile Policies (Profile Owner) and Common Configurations. Amongst the main features present in KSP:

  • Security: User authentication methods, multi-factor authentication, certificate management and DualDAR data encryption
  • Connections: Wi-Fi, Bluetooth, cellular data, tethering, USB, developer mode, NFC, APN, enterprise billing and global proxy
  • VPN: VPN providers, types and chaining, device scope, bypass, proxy and UID/PID metadata
  • App Management: Notifications, battery optimization and whitelisted device admins
  • Customization: Quick panel, battery protection and app suggestions
  • Firmware Updates: Over-The-Air updates, over Wi-Fi updates and recovery mode
  • Restrictions: Power and data saver modes, external storage encryption, Dual SIMs, Microphone, Sharing, common criteria and remote control
  • Samsung-Dex:Ethernet/MAC connection, bootup experience, desktop layout, apps available, app launch, shortcuts and DeX panel

B. Configure KSP in your TinyMDM account

How to start using KSP in your security policies?

1) Once KSP has been activated on your account (available on demand to the support or the sales team, for free, no matter the plan you are on), log in to your TinyMDM account and click on the icon to edit one of your policies.
2) Scroll down at the very bottom of the policy until you see the Samsung Knox additional controls block.
3) Click on Approve the App Knox Service Plugin button. This will automatically approve and install the Samsung Knox Plugin application in this policy.

approve KSP plugin

4) Enter the profile name of your configuration and if you have one, your KPE premium ou Knox Suite License key.
5) Enable Debug Mode (it will enable the debug mode of the KSP app, not of the devices themselves).
6) Navigate the KSP configuration and make your changes. No need to save, everything you do is saved automatically. If you need to delete a configuration and go back to the default config, click on the icon . If you have any interrogation about the purpose of some settings, just hover the title or the text to have more information.

samsung KSP plugin

A few useful examples

Example 1, forbid Wi-Fi scanning or Bluetooth scanning on the devices:

– Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
– Also check the box Enable Advanced Restrictions controls in the sub-part Advanced Restriction policies (Premium) in order to activate the sub-part.
– Then you can untick the boxes Allow Wi-Fi scanning and Allow Bluetooth scanning in order to forbid those.

samsung KSP plugin

Example 2, turn off the devices after a certain inactivity timeout

– Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
– Open the sub-part Device Controls and the sub-sub-part Battery Optimization (Premium).
– Check the box Enable battery optimization and enter the duration of inactivity before shutting down the devices, in seconds (minimum 600sec which is 10min).

samsung KSP plugin

Example 3, hide some settings in the Setting app

– Check the box Enable device policy controls under the part Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) in order to activate the block.
– Open the sub-part Device settings (premium) and check the box Enable device settings controls in order to activate the sub-part.
– Check the boxes of the parts you want to hide in the Settings app of the devices (Hide Back and Reset, Hide Settings Wi-Fi…).

samsung KSP plugin

And many more! If you have any questions, please have a look at the Samsung Documentation. If you feel something is not working the way it’s supposed to, don’t hesitate to contact our support team through the Support tab of your TinyMDM account.

Before setting up your configuration, please note the following recommendations:

  • These options are provided by the manufacturer, Samsung, and are not managed directly by TinyMDM. We will therefore not be able to take into account requests to add new options or changes in the organization or language of the options.
  • Some of these Samsung options are identical to options already present in the TinyMDM policy you’re used to (e.g. the ability to disable Bluetooth use). Please do not set these options in the Samsung configuration to avoid conflicts on your devices.
  • Many of these Samsung options can be used to block important device settings. We therefore urge you to use them with caution, bearing in mind that if a device is no longer connected to the Internet and these options cannot be restored to their original state, the device will be unusable. As these options are not managed directly by TinyMDM, we cannot intervene to unblock a device in this situation.