XenMobile Server

Samsung Knox

Samsung offers several solutions that are compatible with the XenMobile Server.

  • XenMobile supports and extends Samsung Knox policies on compatible Samsung devices.
  • The Knox Service plug-in (KSP) is an app that supports a subset of Knox Platform for Enterprise (KPE) features. For information from Samsung about KPE, see Configure Knox Platform for Enterprise and Overview.

You can configure XenMobile to query the Samsung Knox attestation server REST APIs.

Samsung Knox uses hardware security capabilities that provide multiple levels of protection for the operating system and applications. One level of this security is at the platform through attestation. An attestation server provides verification of the mobile device core system software (for example, the boot loaders and kernel). The verification occurs at runtime based on data collected during trusted boot.

  1. In the XenMobile web console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Under Platforms, click Samsung KNOX. The Samsung KNOX page appears.

    Image of the Samsung Knox page

  3. In Enable Samsung KNOX attestation, select whether to enable Samsung Knox attestation. The default is NO.

  4. When you set Enable Samsung KNOX attestation, to YES, the Web service URL option is enabled. Then, in the list, do one of the following:

    • Click the appropriate attestation server.

    • Click Add new and then enter the Web service URL.

  5. Click Test Connection to verify the connection. A success or failure message appears.

  6. Click Save.

Note:

You can use Samsung Knox Mobile Enrollment to enroll multiple Samsung Knox devices into XenMobile (or any mobile device manager) without manually configuring each device. For information, see Samsung Knox bulk enrollment.

Add the Knox service plug-in app

If you plan on using Android Enterprise with Knox, add the Knox service plug-in (KSP) to XenMobile. The KSP app uses AndroidOEMConfig to support features such as security policies, flexible VPN configuration, and biometric authentication controls. AndroidOEMConfig enables OEMs and endpoint mobility managers (EMM) to support custom OEM APIs. Those APIs cover use cases not supported through Android Enterprise.

For more information on KSP, see the Knox Service Plugin Guide.

  1. Sign in to your Google account and navigate to https://play.google.com/work/apps/details?id=com.samsung.android.knox.kpu. Approve the Knox Service Plug-in app.
  2. Sign in to your XenMobile console and add the Knox service plug-in as a public app store app. For more information on adding public app store apps, see Add a public app store app. The KSP app
  3. In your XenMobile console, navigate to Configure > Device policies. Click Add.
  4. Click Managed Configurations. In the dialog that comes up, select Knox Service Plugin from the menu. For more information on the Managed configuration policy, see Managed configurations policy.
  5. Type a name for the policy then continue to the platform page. Android Enterprise managed configuration Knox service plug-in policy
  6. On the platform page, type a Profile name for your Knox profile and input the KPE Premium License key from Samsung. The policies that appear below these fields come from your Knox deployment. For more information on Knox policies, see the Knox Service Admin Plug-in Guide referenced earlier in this section. Policy pickers
  7. Click Next and configure the deployment rules for the policy.
  8. Click Save.
Samsung Knox