What are the requirements for using the Knox Service Plugin (KSP) app?

Samsung Knox Service Plugin is an app for Android Enterprise devices. The functionality of the app is based on the Samsung Knox logic, which provides advanced protection and settings for Samsung Android devices. The KSP runs as a system service in the background and does not offer a user interface on the mobile device in the default configuration. Samsung devices that are managed in a Mobile Device Management (MDM) system in “Managed Device” or “Work Profile” mode are supported.

How to enroll and manage Samsung devices in Relution is described in insight Samsung KME with Android Enterprise.

Samsung recommends devices with Android 9.0 (Knox 3.2.1) and later for an ideal use of the KSP app. In the course of using the KSP app, the Knox license conditions must be agreed to.

What are the advantages of the Knox Service Plugin (KSP)?

With Samsung Knox Service Plugin, special Knox settings can be applied to Samsung devices that go beyond the standard Android functions.

The setting options and configurations are summarized by Samsung in four main categories:

    1. Basic elements
    2. Android Enterprise Managed Device (Device Owner) Policy
    3. Android Enterprise Work Profile (Profile Owner) Guidelines
    4. General configurations

Samsung offers free and paid (premium) settings options for Knox. The options offered are very diverse. Details about the different levels of available configurations can be traced via the following link: docs.samsungknox.com/dev/knox-service-plugin

The following use cases show frequently used functions:

    1. Lock device settings
    2. Set apps to blocklist (block apps on device)
    3. Prevent system updates
    4. Set global proxy (e.g. to ensure compliance with parental controls)
    5. Prevent backup with Google Cloud

How can the additional KSP settings in Relution be used?

The KSP app is selected from the Google Play Store via an Android policy and the “Manage apps” configuration and added to the policy:

To ensure that the KSP app is automatically installed on all devices, it is recommended that you force the installation by selecting the appropriate setting.

Available settings can then be administered centrally via the “Managed configuration”.

All settings of the managed configuration are displayed in an iFrame. The information is stored directly in the Android Enterprise program from Google. It should be noted that for the managed configuration of the KSP app, in addition to the general name, which must always be specified, a profile name must also be assigned.

In addition, editing the configuration must always be completed with the “Save” button within the iFrame in order to apply the information.

How to lock device settings?

To limit the misuse of Samsung devices, it is recommended to lock the settings. This prevents accidentally changing the language on the device or deactivating the WIFI, for example. Locking the device’s settings automatically disables all available settings options on the Samsung device and potentially useful functions are no longer available. Selectively locking the settings options is only possible via a paid Knox Premium license.

To completely prevent the device settings, the following settings must be made in the managed configuration of the KSP app:

    a. Activate „Enable device policy controls“

    b. Activate „Enable device restriction controls“

    c. Activate „Allow user to modify settings“

How to prevent unwanted apps from running on devices?

By default, Android Enterprise offers the option of blocking apps available via the Google Play Store, which may also be preinstalled on devices (e.g. Netflix), so that they cannot be used on the end device. The setting options for Android Enterprise are described in more detail in insight Android Enterprise managed device & work profile.

For Samsung system apps that are not available via the Google Play Store but are preinstalled on Android devices, this standard functionality cannot be used. For this purpose, the KSP app offers the option in the managed configuration to deactivate apps that are not allowed via a blocklist so that they can no longer be used on the device. This can be used, for example, for the phone, contact or gallery app. The following settings are necessary for this:

    a. Activate „Enable device policy controls“

    b. Activate „Enable application management control“

    c. Specification of the package name for unwanted apps under "Disable Application without user interaction".

Specify package names with comma separation, e.g.:

com.sec.android.app.myfiles.samsung.android.app.contacts, com.samsung.android.messaging,com.samsung.android.dialer, com.android.phone,com.android.server.telecom, com.samsung.android.app.contacts,com.sec.android.app.myfiles

How to prevent system updates?

Regular installation of system updates helps to ensure maximum security in connection with the use of mobile devices. Nevertheless, a system update can also lead to problems, for example with deployed solutions such as apps. For this reason, it is advisable to check system updates centrally and only install them on the end devices after an internal release. In this context, the KSP app offers the option of preventing system updates via the managed configuration. In this way, it is also possible to prevent students in schools from manually performing a system update during lessons.

The following settings must be made:

    a. Activate „Enable device policy controls“

    b. Activate „Enable device restriction controls“

    c. Deactivate „Firmware update (FOTA) policy“

How to enable a global proxy?

For example, a global proxy can be used as a parental control filter, especially in homeschooling, when students also access web content over the private WIFI. The setup can be done in two ways:

1. Manual Proxy configuration

    a. Activate „Enable device policy controls“

    b. Activate “Enable firewall controls” and choose setting „Use manual proxy configuration“

    c. “Manual Proxy configuration” choose setting (further down)

2. Proxy Auto-config (PAC)

    a. Activate „Enable device policy controls“

    b. Activate “Enable firewall controls” and choose „Use proxy auto-config (PAC)“

    c. “PAC (Proxy auto config) URL“ choose setting (further down)

How to prevent backup to Google Cloud?

In order to comply with the GDPR, it is important that personal data is only processed on systems that are permitted and approved for this purpose. Data protection officers therefore frequently prescribe that data storage in the Google Cloud be prevented. This also includes backups of the mobile end devices. The following setting within the managed configuration of the KSP app can be used to prevent a backup of data to the Google server:

Mobile Device & App Management with Relution

Free for up to 5 devices & 5 apps forever. No payment information required.