Knox Service Plugin (KSP) is an OEMConfig app with which you can configure Samsung specific features on Knox Platform for Enterprise (KPE) enabled devices. With Mobile Device Manager Plus, IT Admins can remotely configure Samsung device settings by modifying the KSP configurations on the MDM console and distributing it to the devices.
Follow the steps given below, to configure the app with the configuration:
PARAMETER | DESCRIPTION |
Profile name |
Provide a name for the profile. |
KPE Premium License key |
Enter your Knox Platform for Enterprise (KPE) License Key. You can purchase KPE License from a Knox reseller. |
Debug Mode | Enable or disable Debug Mode to know the status of the policies distributed to the device. It is recommended to enable this only during the test phase. |
Device-wide policies (Device Owner) | Enable or disable this option to apply global group of policies and restrictions that are applicable to all users of the device. Supported in Knox 3.0 and above. |
DeX policy | Enable or disable DeX mode controls for the device, including managing DeX restrictions, and customization of the DeX experience for the user. Supported for Knox v3.1 or higher. |
Customize DeX Experience | Enable customization of DeX mode. Supported for devices running Knox v3.1 or higher with a KPE Premium license. |
DeX customization profile | Provide a DeX profile name . This profile name must match the value set as the "DeX profile name" in the DeX customization profile section. |
VPN policy (Premium) | Enable or disable VPN setup and configuration. Applicable for devices provisioned as "Device Owner" with or without a Work Profile. Applicable for all Knox versions with a KPE Premium license. |
VPN type | Choose the VPN type applicable to the apps on the device. For Device Owner devices without a Work Profile, choose between Device-wide or Selected Apps. For devices with a Work Profile, choose between Device-wide, Work Profile only or Selected Apps. |
Manage list of apps that use VPN | Enter a comma separated list of Bundle IDs of the apps that must connect to VPN. To use VPN for all apps, do not enter any app names. By default all apps will be added. |
Enable on-demand VPN | Configure VPN on-demand to allow specified apps to connect to VPN. When no apps are in use, VPN is terminated. By default, all apps use VPN on-demand. |
Manage list of apps that can bypass VPN | Enter a comma-separated list of Bundle IDs to specify apps that can bypass VPN connections. To allow all apps to use the VPN, do not enter any app names. |
Firewall and Proxy policy | Enable or disable policies for firewall setup and configuration. Applicable for all Knox versions. Enter the name of the primary firewall configuration profile that apps can use for network connections. |
Enable Proxy on device | Enable or disable a global proxy on a device that routes all internet traffic through the specified proxy server. You can provide a proxy server address or a proxy auto-config (PAC) file. |
Call and Messaging control | Enable or disable the phone call and text messaging functionality on the device. |
Manage RCS messaging | Enable or disbale RCS (Rich Communication Services) to allow messaging to be more interactive with features such as group chats, video, audio, and high-resolution images. |
Set disclaimer text for messages | Set a disclaimer text limited to 30 characters, with all the outgoing SMS and MMS from the device. |
Device Restrictions | Allow or block specific operations such as Microphone, WiFi, Bluetooth, Cellular data, Camera, etc., on the user's device. Supported in Knox v2.7 or higher with a Standard license. |
Tethering controls | Allow or block types of tethering such as WiFi, USB and Bluetooth tethering on the device |
Advanced Restrictions policy (Premium) | Manage advanced restriction policies such as WiFi scanning, Remote Control, dual SIM operation, etc. A KPE Premium license is required for all policies in this group. |
Firmware update (FOTA) policy | Allow or block firmware updates using Firmware-Over-The-Air (FOTA). Applicable for Knox v2.0 or higher. |
Password policy | Manage password policies and set up password restrictions on the device, including enabling or disabling biometric or multi-factor authentication methods to log in to the device. |
Application management policies | Enable or disable advanced application management settings. Allow or exempt applications from battery usage optimizations or from showing notifications on the status bar. |
Device Admin whitelisting | Allow Device Administrator (DA) privileges to the specified apps when KSP is installed on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is installed. |
Device customization controls | Allow customization of the device user interface. Applicable for KPE Premium license with Customization permissions. |
Device controls | Manage device controls, such as APN settings, NFC, WiFi, Bluetooth policies, etc. |
Device Key Mapping (Premium) | Enable or disable this option to map hardware keys to specific actions. |
Enterprise Billing Policy (Premium) | Enable or disable separate bill generation for personal and enterprise data usage, accomplished by routing respective traffic through 2 different APNs on a device. Before enabling, verify if Enterprise billing is supported by your network operator. |
Universal Credential Manager policy (Premium) | Manage credentials in both external and internal device storage and enable or disable device unlock through a UCM plugin. |
Certificate management policies (Premium) | Enable or disable certificate management settings for the device. You can add trusted CA certificate, disable or restrict certificates, enable certificate revocation to check the validity of certificates, etc. |
Work profile policies (Profile Owner) | Enable to apply policies and restrictions to the Work Profile on the device. Restrict or allow addings apps from personal space to Work Profile and vice versa. You can also customize Work Profile and personal tab name. |
RCP policy (Premium) | Configure application-level policies for syncing data within a Work Profile container. Allow or restrict moving files from personal space to Work Profile and vice versa. |
VPN policy (Premium) | Configure VPN for the apps in the Work Profile. Applicable for all Knox versions with KPE Premium license. |
Firewall policy (Premium) | Configure Firewall for the apps in the Work Profile. Applicable for all Knox versions. |
Restrictions in work profile (Premium) | Allow or block microphone, Camera or Share Via in the Work Profile. Applicable for Knox v2.7 or higher with a Standard license. |
Advanced restrictions in work profile (Premium) | Manage advanced restriction policies such as remote control on the Work Profile. |
Password policies (Premium) | Configure password policies for the Work Profile, including enabling or disabling biometric authentication, enforcing passcode change and defining password complexity. |
Application management policies (Premium) | Configure policies and manage applications inside the Work Profile on the device. |
Device Admin whitelisting (Premium) | Manage Device Administrator (DA) privileges to specific apps in the Work Profile, when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched. |
Enterprise Billing policy (Premium) | Enable or disable separate bill generation for personal and enterprise data usage, accomplished by routing respective traffic through 2 different APNs on a device. Before enabling, verify if Enterprise billing is supported by your network operator. |
Universal Credential Manager policy (Premium) | Manage credentials in both external and internal device storage and enable or disable device unlock through a UCM plugin. |
Dual Data-at-rest (DAR) Encryption (Premium) | Enable or disable Dual DAR settings for the Workspace. Applicable for devices with Dual DAR version 1.1 or above and only when Dual DAR has already been setup for the Workspace using MDM or via Knox Mobile Enrollment (KME) portal. KPE Premium license with Dual DAR add-on is needed to use this feature. |
Certificate management policies (Premium) | Enable or disable certificate management settings for the device to add trusted CA certificate, disable or restrict certificates, enable certificate revocation to check the validity of certificates, etc. |
Network Platform Analysis (NPA) (Premium) | Enable or disable and configure NPA clients to collect network activity data on the device. Available with KPE Premium license. |
Audit Log (Premium) | Enable or disable audit logging on the device. Available with KPE Premium license. |
Device Account policy (Premium) | Enable or disable device account addition policies. Available with KPE Premium license. |
DeX customization profile | Customize Samsung DeX experience for the user. Set home alignment, DeX wallpaper, loading logo and screen timeout. Available with KPE Premium license. |
Add application shortcuts on DeX | Add shortcuts to one or more apps on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid. |
Add URL shortcuts on DeX | Add shortcuts to one or more URLs on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid. |
Device and Settings customization profile (Premium) | Configure and customize the device user's experience. Available only with KPE Premium license with customization permissions. |
Samsung keyboard controls | Enable or disable Samsung's built-in keyboard and configure the same. |
Quick panel configuration | Customize Quick Settings Panel. Choose the shortcuts to be shown in the Quick Settings Panel on the device. |
Lockscreen customization | Allow or disable customization of UI shortcuts available on the device’s lockscreen. Available with KPE Premium license. |
Configure values in settings menu | Customize the device settings menu that are part of the Deep Settings Customization feature. Applicable for devices with KPE Premium licenses, with Knox v3.4 and higher. Support for individual settings varies based on the device's model and OS. |
VPN profiles (Premium) | Configure the VPN profile. You can define up to two VPN profiles that are used for VPN Chaining. Available with KPE Premium license. |
Proxy | Configure the proxy server to be used with this VPN profile. |
USB Tethering | Configure USB tethering over VPN. Ensure that USB tethering is enabled in Restrictions Profile in MDM and the USB device being connected is allowlisted. Manually allow USB tethering feature on the device. |
Firewall configuration profile | Configure firewall profile. Ensure you provide the same name specified in the firewall policy section. Specify the network connections allowed or denied on the device. You can also specify when and how firewall access requests are re-routed and how traffic to and from specific domains is handled. |
Manual Proxy configuration | Configure the global proxy server by entering the server name, host and port. |
Proxy auto-config (PAC) | Specify the Proxy auto-config (PAC) URL, the server name, port details, authentication configurations |
APN configurations | Specify Access Point Name configurations including APN name, type, authentication type, etc. Contact your mobile service provider for the configuration details. Note: An APN configuration works on the device only when a compatible SIM card is used. |
Certificate (Premium) | Configure Certificate and specify the characteristics of the certificate installation. Available with KPE Premium license. |
UCM Plugin configurations (Premium) | Specify the configuration of UCM plugins that can access credential storage. Available with KPE Premium license. |
NPA Data Points profile (Premium) | Enable or disable Network Platform Analytics (NPA) data points configuration at a device-wide or Work Profile level and configure NPA Data Points configuration profile. Ensure you use the name specified in the NPA profile name value. Applicable for Knox v3.3 or higher. |
RCP Data Sync profile configurations (Premium) | Enable or disable RCP Policy data sync configurations at a Work Profile level. Select applications allowed to sync data and specify data sync property you want to apply on the application. |
Allowed apps for reading private keys Configurations (Premium) | Enter the Bundle IDs of apps that are allowed to access private keys configurations. |
Allowed USB devices for Applications Configurations (Premium) | Specify the applications allowed to access USB Devices. |
Advanced WiFi configurations (Premium) | Configure advanced Wi-Fi settings such as Wi-Fi Roam Trigger, Roam Delta, Roam Scan Period, etc. |
Device Key Mapping to Launch and Exit application Configurations (Premium) | Configure Key Mapping to launch and exit the specified app. |
Device Account Policy configuration | Enable or disable Device Accounts policies. Add Account and Account Type to Addition Blocklist in order to block users from adding the specified accounts. |
For more information, refer here.