26 Jul 2019

Knox Service Plugin: Delivers Knox features faster to end customers while eliminating integration costs for UEM partners

By Prarthna (Programmer Writer)

What is KSP Plug-In?

At MWC 2019, Samsung launched the Knox Service Plugin (KSP Plug-In). KSP Plug-In is a solution that enables customers to use Knox Platform for Enterprise (KPE) features as soon as they are commercially available, via their preferred UEM solution vendor. Knox Platform for Enterprise extends Android Enterprise by providing granular manageability, higher security, and enhanced productivity features on top of AE.

KSP Plug-In is:

  • Based on OEMConfig, supports feedback channel
  • Provides zero-day support for Knox features

KSP Plug-In helps customers:

  • Rapidly deploy existing and new Knox Platform for Enterprise features to devices using a compatible UEM, as soon as Samsung launches them. Compatible UEM partners are ones who support OEMConfig.

KSP helps UEM partners:

  • Leverage their investments by building on Android’s managed configurations (AppConfig and OEMConfig) standard
  • Avoid the repeat development cost of supporting KPE features, while making sure customers get the latest and greatest features

 

How does it work?

Put simply, the Knox Service Plugin (KSP Plug-In) is an app published by Samsung on Google Play store. It has the necessary privileges to call the KPE APIs on mobile devices on behalf of the UEM agent that is managing the device or work profile.

Customer IT Admins use their compatible UEM console to:

  • Search for the KSP Plug-In app from a managed Google Play store
  • Set up policies in the form of managed configurations
  • Publish these policies to their managed devices

The KSP Plug-In app then applies the relevant Knox policies and returns the configuration result to the UEM console.

Currently, KSP Plug-In supports KPE features like Samsung DeX management, Knox VPN, device restrictions, RCS message control, device customization controls, Common Criteria mode, firewall and proxy, biometric authentication and multi-factor authentication control, and more. Samsung rolls out new features on a monthly basis.

The KSP deployment process is as follows:

  1. The latest KSP Agent is published by Samsung to the Google Play store.
  2. IT Admins use their compatible UEM console (that supports a managed Google Play store) to search for KSP.
  3. The UEM Console renders the applicable Knox features and policies using OEM Config.
  4. IT Admins use the UEM console to set up policies in the form of Managed Configurations. These are then saved and published to their enterprises' managed devices.
  5. When a user's device is being provisioned, the UEM invokes the managed Google Play Store, which in turn installs KSP and pushes the managed configuration to the device.
  6. After installation is complete, KSP runs in the background on the device. KSP applies the relevant Knox policies and returns the result of the configuration process using Google's Feedback SDK.
  7. and 8. IT Admins can view any configuration failures and associated error messages on the UEM Console, provided the UEM is equipped to handle the result that KSP generates and sends back using the feedback SDK.

 

KSP Plug-In support

KSP Plug-In works on devices running Android Pie with Knox 3.2.1 and above. It supports Android Enterprise deployments in these modes:

  • Fully managed device (DO)
  • Work profile (PO)
  • Fully managed device with a work profile (COPE or COMP)

Samsung has worked with UEM partners to bring KSP support to our joint customers. Here is a quick look at the current status. Reach out to your UEM partner for more up-to-date information on availability across solution variants and versions.

UEM

KSP schema support

IBM MaaS360

Supported

SOTI MobiControl

Supported

MobileIron Cloud

Supported

Microsoft Intune

Supported

Vmware

Supported

Citrix

Supported

BlackBerry

Coming soon

 

Learn more

For more details, head to our KSP Admin Guide, where you will find the following: