11 May 2017

Licensing enhancements with Knox 2.8

By Maruthi (Technical Writer)

With the Knox 2.8 release, we are happy to introduce the Beta release of a new type of license key called the Samsung Knox License (SKL). This new license type was designed based on partner feedback on our existing licensing. The new license type offers these benefits:

  • Easier to use - The new entitlement-based license replaces the existing ELM, ISV, and KLM license keys. SKL is a single license key which can be used with any Knox SDK. This simplifies the license management as you need to request, manage, and activate only a single key. With the current Beta release, you can use the Samsung Knox License only with the Android version of the Knox Standard SDK. That is, the Samsung Knox License entitles you to call API methods in that SDK only.
  • More secure - As with the existing ELM and ISV licenses, you can identify which apps are allowed to activate a Samsung Knox License. When an app activates the license on a Samsung Knox device, a licensing agent on the device checks with a web-based license server to ensure that the app was previously registered to activate the license. If the app was not, it will be denied access to the SDK API methods granted for the license. This helps to avoid misuse of your Samsung Knox License by malicious attackers.

How the licenses work

Our license management provides specific rights or permissions to use certain features of a Knox SDK. With the existing Knox licensing, we provided a static set of permissions, which was tightly coupled with a license key type, but we are trying to provide a more flexible and secure entitlement scheme with Knox 2.8 onwards.

By registering app information in the Knox 2.8 release, we can secure the use of issued licenses. Later, we are planning a way for you to select the permissions you want to use at a more granular level. You can select these permissions in your app manifest.xml, which aligns better with Google’s method for getting permissions.

How to get a Samsung Knox License

You can place a license order through the SEAP license dashboard. For security purposes, you identify the app that will use the license key by providing the app package (APK) name and hash value of the public key used to sign the APK. To do this, you can either:

  • upload the app, and let the SEAP portal extract the package name and hash key (we do not keep the app)
  • manually enter the information yourself, using a public key extractor to get an app’s hash key

To get a production license to commercialize your app, you must provide this app information. But to get a development license to create and test your app, this app information is optional.

Once you get a Samsung Knox License (SKL) key, you code your app to call a Samsung API method that activates this key. You can later use the SEAP portal to request additional access as needed.

Key points to remember

  • For Knox 2.8, the SKL key is only for Android version of the Knox Standard SDK.
  • You must provide app package name and hash key to get a production SKL key. This is optional for a development SKL key.
  • You can continue to use the legacy ELM and KLM keys that are already issued. They will still work in the new licensing entitlement model. However, we will eventually stop issuing these legacy keys and instead provide backward-compatible keys.
  • Samsung Knox devices running Knox 2.7 or earlier must activate both a backward-compatible ELM key and the SKL key. These older devices have an earlier licensing agent that doesn’t request license permissions until you activate an ELM license. In this case, the backward-compatible ELM key has no permissions on its own.
  • Samsung Knox devices running Knox 2.8 onwards activate only the SKL key. 

Next steps

For more information, see: