Samsung Knox Service Plugin is an app for Android Enterprise devices. The functionality of the app is based on the Samsung Knox logic, which provides advanced protection and settings for Samsung Android devices. The KSP runs as a system service in the background and does not offer a user interface on the mobile device in the default configuration. Samsung devices that are managed in a Mobile Device Management (MDM) system in “Managed Device” or “Work Profile” mode are supported.
How to enroll and manage Samsung devices in Relution is described in Insight Samsung KME with Android Enterprise.
Samsung recommends devices with Android 9.0 (Knox 3.2.1) and later for an ideal use of the KSP app. In the course of using the KSP app, the Knox license conditions must be agreed to.
With Samsung Knox Service Plugin, special Knox settings can be applied to Samsung devices that go beyond the standard Android functions.
The setting options and configurations are summarized by Samsung in four main categories:
Samsung offers free and paid (premium) settings options for Knox. The options offered are very diverse. Details about the different levels of available configurations can be traced via the following link: docs.samsungknox.com/dev/knox-service-plugin
The following use cases show frequently used functions:
The KSP app is selected from the Google Play Store via an Android policy and the “Manage apps” configuration and added to the policy:
To ensure that the KSP app is automatically installed on all devices, it is recommended that you force the installation by selecting the appropriate setting.
Available settings can then be administered centrally via the “Managed configuration”.
All settings of the managed configuration are displayed in an iFrame. The information is stored directly in the Android Enterprise program from Google. It should be noted that for the managed configuration of the KSP app, in addition to the general name, which must always be specified, a profile name must also be assigned.
In addition, editing the configuration must always be completed with the “Save” button within the iFrame in order to apply the information.
To limit the misuse of Samsung devices, it is recommended to lock the settings. This prevents accidentally changing the language on the device or deactivating the WIFI, for example. Locking the device’s settings automatically disables all available settings options on the Samsung device and potentially useful functions are no longer available. Selectively locking the settings options is only possible via a paid Knox Premium license.
To completely prevent the device settings, the following settings must be made in the managed configuration of the KSP app:
By default, Android Enterprise offers the option of blocking apps available via the Google Play Store, which may also be preinstalled on devices (e.g. Netflix), so that they cannot be used on the end device. The setting options for Android Enterprise are described in more detail in Insight Android Enterprise managed device & work profile.
For Samsung system apps that are not available via the Google Play Store but are preinstalled on Android devices, this standard functionality cannot be used. For this purpose, the KSP app offers the option in the managed configuration to deactivate apps that are not allowed via a blocklist so that they can no longer be used on the device. This can be used, for example, for the phone, contact or gallery app. The following settings are necessary for this:
Specify package names with comma separation, e.g.:
com.sec.android.app.myfiles.samsung.android.app.contacts, com.samsung.android.messaging,com.samsung.android.dialer, com.android.phone,com.android.server.telecom, com.samsung.android.app.contacts,com.sec.android.app.myfiles
Regular installation of system updates helps to ensure maximum security in connection with the use of mobile devices. Nevertheless, a system update can also lead to problems, for example with deployed solutions such as apps. For this reason, it is advisable to check system updates centrally and only install them on the end devices after an internal release. In this context, the KSP app offers the option of preventing system updates via the managed configuration. In this way, it is also possible to prevent students in schools from manually performing a system update during lessons.
The following settings must be made:
For example, a global proxy can be used as a parental control filter, especially in homeschooling, when students also access web content over the private WIFI. The setup can be done in two ways:
In order to comply with the GDPR, it is important that personal data is only processed on systems that are permitted and approved for this purpose. Data protection officers therefore frequently prescribe that data storage in the Google Cloud be prevented. This also includes backups of the mobile end devices. The following setting within the managed configuration of the KSP app can be used to prevent a backup of data to the Google server: