What's New in the Knox SDK

This section covers what is new in each release of the Knox SDK

Knox SDK 3.3 (Knox API level 28)

Samsung Knox SDK version 3.3 adds even more APIs and framework features for developers, MDMs, and users. APIs have been added to provide functionality to container encryption, Samsung DeX, and Network Analytics. Knox is built and secured at a hardware level, and with the Knox 3.3 SDK, Samsung Verified Boot now monitors and protects the boot loading.

Dual DAR

Dual Encryption allows enterprises to ensure their work data is secured with two layers of encryption, even when in a powered off or unauthenticated state. With single layer of encryption, potential flaws in the implementation may result in a single point of failure.

For more information on the new Knox 3.3 Dual DAR feature, learn how to configure a Dual DAR Workspace.

Container Only Mode (COM) deprecation

Container Only Mode is obsolete as of the Galaxy S10 or later devices.

Note: Samsung Note 9/S9 devices or earlier with COM/ CL containers will be supported throughout the life of the device. For more information, see this bulletin notice.

Knox on DeX

Samsung DeX has new features and APIs to give and restrict access using the Knox platform. For API implementation, see Samsung DeX with Knox and the Knox 3.3 API reference guide.

VPN namespace changes

With the Knox SDK v3.0 release, all apps must use the new Android namespace conventions, as described in IMPORTANT NOTICE: Changes to old Samsung Knox namespaces. The Knox VPN SDK still uses the old namespace conventions. Following the Android Q and Knox SDK 3.4 releases in the later part of 2019 or the early part of 2020, this merge requires VPN clients to update their clients to using the new namespaces. For more information on updating your VPN clients to use the new namespace, see VPN namespace changes.

VPN improvements and enhancements

Knox SDK v3.3 includes several enhancements that improve user experience and performance of VPN clients on the Knox framework. The enhancements include, but are not limited to the following: 

  1. Support multi-app tunnelling: These enhancements improve user experience when using VPN tunnels that impact more than one app at a time. As a result of these enhancements, users can connect with and start using business apps immediately after the VPN tunnel is established.
  2. Synchronize Knox events with Android networking events: These enhancements improve the performance of VPN clients by synchronizing Knox events with Android networking events. This change means that the Knox container recognizes that the VPN client is connected without any delay.
  3. Provide ongoing network flow information for NPA purposes: This new feature improves the performance of EMM-based Network Performance Assessment tools by providing information about network data flow while the connection is ongoing. This feature means admins now have the ability to configure their EMM-based NPA tools to receive network statistics while a network connection is ongoing. This functionality is especially useful in cases where network sessions last for a long time. For more information, see Configure NPA reporting.

Firewall support

Knox SDK 3.3 now supports the interaction between DomainFilter rules and Firewall policies on a specified device by introducing a new API enableDomainFilterOnIptables() that enables this new feature.

Without this feature enabled, Firewall policies can affect whitelist rules applied by Domain Filter. After enabling this API, admins can do the following use cases:

  • Use FirewallRule to block all IPs in a specified device.
  • Use the DomainFilterRule() to allow specific domains to be white listed even if the IPs are blocked using Firewall policies.

To learn more about this new feature, visit the Firewall section of the Knox SDK user guide.

Contact Storage restrictions

Take control over where device contacts are stored. Remove the risk of local contacts which can be lost and become out of sync to your cooperate enterprise. For API implementation, see contacts storage and the Knox 3.3 API reference guide.

Knox SDK 3.2.1 (Knox API level 27)

Knox SDK version 3.2.1 release has three major improvements to better improve security and device management. Firstly, new APIs have been developed for this release to allow more functionality in device management. Secondly, Knox Platform for Enterprise is built on the Android operating system, and with Knox v3.2.1 we leverage the Android Pie operating system to provide even more capabilities on a Samsung device. Finally, framework improvements have been added to the SDK to better optimize performance behind the scenes so you can focus on development.

New API overview

Class API methods and variables
BasePasswordPolicy setResetPasswordToken (ComponentName admin, byte[] token)
clearResetPasswordToken (ComponentName admin)
isResetPasswordTokenActive (ComponentName admin)
resetPasswordWithToken (ComponentName admin, String password, byte[] token, int flags)
getTrustAgentConfiguration (ComponentName admin, ComponentName agent)
setTrustAgentConfiguration (ComponentName admin, ComponentName target, PersistableBundle configuration)
EnterpriseDeviceManager getBasePasswordPolicy ()

For more information on Knox APIs see the full set of Knox API references. In addition to new Knox APIs for the Knox SDK v3.2.1 release there were also deprecated APIs. See deprecated API methods for a full list.

Certificate Provisioning

The Knox SDK features the CertificateProvisioning class, which supports IT Admins in managing certificates and keystores. Beginning with Knox 3.2.1, certificate installations with the KEYSTORE_DEFAULT flag will no longer require the user to unlock the device.

For details, see the API installCertificateToKeystore(), which allows the IT admin to silently install a CA certificate into a given keystore. To learn more about certificate provisioning, see About Keystores.


There are two major improvements to the Knox Platform for Enterprise's password class:

  • The following Android APIs now exist on the Knox Platform: setTrustAgentConfiguration and getTrustAgentConfiguration. The addition of these methods preserve the functionality of calling these APIs as device admin.
  • The following APIs have been added as an alternative to resetPassword() to allow programmatic password modification without IT admin interaction: setResetPasswordToken, clearResetPasswordToken, isResetPasswordTokenActive, and resetPasswordWithToken.

For more information on Knox passwords, see the password section of the developer guide.


The Keyboard security framework has received a major usability upgrade while maintaining security between the personal and work profiles. Unlike Android Enterprise, Knox Platform for Enterprise allows users to choose their own IME in the personal space without the risk of leakage into the work space by separating the IMEs. Learn more about this update to the keyboard framework for KPE.

VPN Enhancements

Audit Log

The Knox Generic VPN Framework enables common audit logs for VPN clients and helps non-native VPN clients meet NIAP security requirements.

To learn more about the types of events that are logged, see VPN Audit Logs.

Performance Improvement

The Knox SDK has the GenericVpnPolicy class which allows IT Admins to configure SSL/IPSEC VPN profiles on multiple devices.

This release adds a number of enhancements to VPN, including:

  • Performance optimization to increase the speed of establishing VPN connections for a large number of apps.
  • Synchronization of VPN connection and firewall configuration events. This ensures that VPN connection is established only after firewall has finished preparing for VPN mode.

UI changes

Mini launcher

The Knox SDK Release 3.2.1 removes the mini launcher used to open the Knox Workspace and replaces it with a tabbed UI view. Apps now display in two categories: Personal and Work (Knox Workspace). Users can seamlessly switch between the Personal and Work tabs on the Home page.

To learn more about the tabbed UI view, see Tabbed UI View.


The Knox SDK Release 3.2.1 includes changes that let users open the Knox Workspace Settings right from the devices's Settings.

To learn more about this change, see Workspace Settings.

Knox SDK 3.2 (Knox API level 26)

Knox SDK 3.2 introduces a variety of new features and capabilities for users and developers. This page highlights what's new for developers.

New API overview

Class API Method

public int setHomeAlignment(int mode)

public int getHomeAlignment()

addURLShortcut(int x, int y, String title, String url, ComponentName component)

addURLShortcut(int x, int y, String title, String url, String imgName, ComponentName component, ParcelFileDescriptor imgFD)

removeURLShortcut(String url, in ComponentName component);

setForegroundModePackageList(int state, in List<String> pkgList);

List<String> getForegroundModePackageList();



public int startProKioskMode(String packageName, String passCode)

public int stopProKioskMode(String passCode)


public boolean allowBLE(boolean allow)

public boolean isBLEAllowed()

public boolean allowWifiScanning(boolean allow)

public boolean isWifiScanningAllowed()

PhoneRestrictionPolicy public Bundle getRCSMessage(long id)
NetworkAnalytics public int start(String profileName, Bundle flowTypeBundle)
EnterpriseDeviceManager public static int getUserId(UserHandle handle)

public int getErrorCode()

public int getTimeout()

DeX management APIs

DeX management APIs allow you to increase productivity and decrease costs by using your Samsung Device to switch to a PC like environment with ease.

setHomeAlignment – This API allows IT Admins to modify the way apps are aligned in DeX mode. For example, you can align apps in a preferred order. This is perfect for organizations that want to set up numerous identical workstations throughout their organization.

addURLShortcut – This API allows IT Admins to add a browser shortcut with a specific URL on the DeX home screen. This is useful for enterprises that require users to access a URL frequently – for example, an internal Intranet network. A customized icon can also be displayed.

Connection APIs

In many situations, IT Admins may need to completely disable Bluetooth or Wi-Fi, and not just prevent the user from toggling it on or off. This can now be done with: allowBLE() and allowWifiScanning(). This can increase security by preventing any malicious Bluetooth or Wi-Fi attacks from remotely trigging these services usingbackground usage.

  • Turn off Wi-Fi background scanning: Use allowWifiScanning() to completely turn off Wi-Fi and Wi-Fi background scanning.
  • Turn off Bluetooth background scanning: Use allowBLE() to completely turn off Bluetooth and Bluetooth scanning.

These options are shown in the settings screen below.

Enhancement APIs


The updated ProKiosk Manager API lets you enable ProKiosk Mode without having to reboot the device. This saves IT Admins time when they have to set-up Prokiosk mode on a large batch of devices.

Class API method

public int startProKioskMode(String packageName, String passCode)

public int stopProKioskMode(String passCode)

Rich communication services (RCS) message capture API

RCS messaging is a new messaging protocol which is replaces SMS as the default messaging platform for carriers. It adds much needed features – such as group messages – and allows users to send more types of media. All of this is done over data instead of cellular network, making it very similar to current IM apps that can be downloaded from the Play Store.

Knox 3.2 allows IT Admins to capture and record RCS messages (including attachable multimedia files). For many industries, such as the financial services, the ability to record and audit sent and received messages is required by law.

GetRCSMessage allows IT Admins to:

  • Start RSC capture
  • Stop RSC capture

UCM SDK merged to Knox SDK

As of Knox 3.2, The UCM SDK will be merged into the Knox SDK. New permissions are defined to streamline the license activation flow and make using both products easier. Vendors need to implement their UCM app with these new permissions, but do not have to change any APIs.

New UCM permissions All the UCM features will be granted with this new UCM permission(KNOX_UCM_MGMT)

Knox SDK 3.1 (Knox API level 25)

DeX management APIs

Samsung DeX is a revolutionary new technology that allows users to transform their mobile devices into powerful enterprise desktop machines with a simple docking station. As DeX becomes more popular among enterprises, there is growing urgency to provide IT admins with the same degree of granular management policies available for Samsung devices as a whole. For the 3.1 release, the Knox team is providing the following DeX-specific management APIs:

Add or remove app shortcuts

This feature allows enterprises to provide even more distinctly different mobile and desktop home screen differences.

Change the Dex loading screen

Devices play a default animation while launching in DeX mode. Knox 3.1 provides APIs that allow you to add images and other branding assets to replace default Dex loading logo. Create a more customized user experience with this new DeX feature.

Control screen timeout settings

The Knox SDK provides you with the flexibility to balance security concerns with convenience. You can set a screen timeout that ranges from seconds to weeks depending on your enterprise security policies.

Enforce Ethernet data connection

This feature ensures that users are running certain productivity apps using a secure Ethernet connection by preventing them from connecting to mobile data or Wi-Fi while in DeX mode.

Prevent certain apps from running in DeX

Disable personal apps, such as social media and games, while the device is in DeX mode. These APIs don’t affect devices after they’ve been disconnected from the DeX station. For more detailed information regarding these new APIs, including requirements and sample code, see the Knox SDK Developer Guide and Knox SDK API reference.

If you want to prevent DeX mode in an enterprise setting, you also easily disable DeX with the Knox SDK.

App Permission Monitor updates

App Permission Monitor is a feature enabled by default that alerts end users when apps attempt to access a predefined permission while running in the background.

The Knox 3.1 SDK includes two new management features for the App Permission Monitor.

Enable and disable access to App Permission Monitor

By design, enterprise apps may need to constantly access certain sensitive permissions while running in the background. For the peace of mind of your users, you may want to disable App Permission Monitor.

If you want to ensure that users are conscious of apps which may be requesting device permissions while running in the background, you can also enable access to this feature.

Add or Remove specific apps from the App Permission monitor list

For security and compliance purposes, your enterprise apps may request access to permissions such as location while running in the background. For example, your app may include a geofencing feature that prevents users from using the camera while at the office. You may want to remove enterprise apps from the monitor list to distinguish them from potentially harmful third-party apps that are requesting the same types of permissions while running in the background.

Knox SDK 3.0 (Knox API level 24)

This Samsung Knox SDK v3.0 release provides significant improvements to the developer experience as well as powerful new features, which are described below.

Samsung Knox SDK

The new Samsung Knox SDK combines, refactors, and enhances these Samsung Knox SDKs:

  • Knox Standard
  • Knox Premium
  • Knox Customization
  • Knox ISV

There is now only Samsung Knox SDK package to download, one JAR library to import, one API Reference to search for API methods, and one Developer Guide describing how to use the SDK features. This new SDK also consolidates the following:

  • Version — As the merged SDKs had different SDK version numbers, the new Knox SDK uses a single 3.0 version number and Knox API level 24. The Knox API level is similar to the Android API level. Each Knox SDK version has been mapped to this Knox API level. To find the API level supported by a device, call the API method EnterpriseDeviceManager.getApiLevel. In the device Settings > Device > Software Info, the Knox version now shows this Knox API level.

  • Namespace — All Samsung Knox SDK packages, intents, and permissions now use this namespace: Previously, there were multiple namespaces, including one in the Google domain ( Unifying the namespace simplifies coding, troubleshooting, and support, and removes the possibility of future overlaps with Google.
  • Structure — API methods have been re-organized for better discoverability and renamed for consistency. The API methods that were in the generic class called MiscPolicy have been moved into more appropriate classes. Some classes have been renamed. For example, Attestation is now called AttestationPolicy for more consistency with other class names.
  • Deprecation — In the new consolidated Knox SDK, we have removed API methods that were already deprecated in the legacy Knox Standard, Premium, Customization, and ISV SDKs. We’ve also removed API methods that were duplicated across legacy SDKs or not being used as indicated by our analytics. This was to streamline the new Knox SDK and ease usability moving forward. The Knox 3.0 platform installed on devices still supports these deprecated API methods. However, we discourage using these API methods as we will likely remove support for them in the near future. For a list of the deprecated API methods, see the Samsung Knox SDK Migration Guide.

For more about updating namespaces and replacing deprecated API methods for this new consolidated Knox SDK, see the Samsung Knox SDK Migration Guide and Knox SDK Sample Apps.

Knox Platform for Enterprise (KPE) license key

Knox 3.0 uses a Beta version of a new consolidated Knox Platform for Enterprise (KPE) license key, which is designed to replace the following licenses.

  • ELM — Enterprise License Management. This license gives developers access to the enterprise-grade Knox Standard SDK.
  • ISV — Independent Software Vendor. This license gives developers access to basic security features in the Knox ISV SDK.
  • KLM — Knox License Management. This license gives developers access to paid features in the Knox Premium and Knox Customization SDKs.

There 2 types of Samsung License:

  • Development — Gives you access to all features in the Knox SDK, but only on a limited number of devices and for a limited time period. This is meant for testing purposes only. You can get this Development license through the SEAP portal.
  • Commercial — When you are ready to release an app on many devices for a longer time period, you use a Commercial license. If your app uses:
    • only free features (in other words, those that were in the Knox Standard and ISV SDKs) — You can generate a Commercial Knox Platform for Enterprise (KPE) license key from the SEAP Portal.
    • paid features (that were in Knox Premium and Knox Customization SDKs) — An authorized Knox Reseller or EMM Vendor buys Commercial licenses from the Global Samsung Business Network (GSBN). They do so on behalf of each enterprise customer so that license activations can be tracked and billed separately.

Currently, for paid features you are shipping for commercial deployment, you still need a ELM and KLM license. An KPE license will not work. This should change eventually after the KPE license is out of beta.
  • As a developer, you can generate a free Commercial ELM license from the SEAP Portal.
  • As a Knox Reseller or EMM Vendor, you buy a Commercial KLM license from GSBN for each customer.

Knox 3.0 also introduces Android-style permission declaration. You can optionally declare at a granular level the permissions that your app needs to call API methods in the Knox SDK. This is to tighten security, by limiting what an app can do. To use this new permissions model, update your Android manifest file (AndroidManifest.xml) to include these tags:

  • <meta-data>: to enable Knox selective permissions
    • For example: <meta-data android:name="" android:value="true"/>
    • not required for KPE. Optional for ELM & KLM.
  • <uses-permission>: to declare each permission used by the app
    • for example: <uses-permission android:name=""/>

Here is a sample manifest file:

To find out which permission is needed by an API method, see the Knox SDK API Reference. For example, the permission can be found in createContainer.

See also:

  • License Keys — to generate a license and see what permissions (free or paid) you get with the license
  • License Enhancements — for more about the new Knox Platform for Enterprise (KPE) license key

New Knox Workspace container architecture

We’ve updated the Knox Platform for Enterprise solution with a new Workspace container architecture to enhance user experience.

  • Knox APIs can now control Android Work profiles.
  • Android Work Profiles can easily be upgraded to Knox Workspace without wiping your device.

As part of this change, customers can leverage Knox features and APIs on Android’s Work Profile and Work Managed Device modes. The:

  • Profile Owner can activate a Knox License and leverage Knox features on Android Work Profile
  • Device Owner can activate a Knox License and leverage Knox features on Android Work Managed Device

For details, see the new container architecture page and the new container integration guide.

Network Platform Analytics

This feature enables the real-time monitoring of a network flow behaviours without granting access to all network data. Using NPA has much better privacy claims than using VPN or proxy technology alternatives to analyse traffic. In addition, NPA can provide more granular data than VPN or web proxy solutions. Management apps, such as MDM clients, can call NPA APIs to register a network analyser to collect metadata about network data flows. Once registered, the analyser then receives flow details that allow the app to analyse network patterns without exposing the analyser to sensitive network data such as plaintext passwords, business documents, or employee communications.

Knox 3.0 introduces these new features:

  • Full IPv6 support
  • DNS lookups are now associated with the app that requested them
  • Parent process hash is now included in the netflow data

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

Device Customization

The Knox SDK lets Systems Integrators develop an Android app that restricts what users can do on a device. You can configure new features as they release on new Samsung devices and Android versions. This is designed for System Integrators who need an extra level of configurability on the Samsung Android platform.

With Version 3.0 of the Knox SDK, you can configure features in the Android 8.0 Oreo release:

  • Hard key remapping (setHardKeyIntentState, getHardKeyIntentState) — Controls whether or not the pressing of a particular hard key (power, volume up, volume down, home, back, menu) broadcasts an intent, which can be handled by the registered broadcast receivers. This feature was previously supported only in ProKiosk mode, through the API package, but is now also available outside of ProKiosk mode, through
  • Home screen mode (setHomeScreenMode, getHomeScreenMode) — Selects whether a device supports:
    • Home screen only — The home screen is the only place where you can launch apps, and can't be deleted unless there are no app shortcuts on it.
    • Home screen with separate app launcher screens — The home screen page can be deleted because the app launcher screens also display all app shortcuts that are on the home screen.

Deprecated API Methods

The following API methods have been deprecated in this release:

API Class Deprecated API Method Reason


Outdated feature
SystemManager copyAdbLog
Outdated feature

The following API methods will be deprecated from the Knox SDK within a year. Please prepare to stop using these as well.

API Class To be deprecated Reason
AdvancedRestrictionPolicy enableODETrustedBootVerification
Overlap with Android APIs
RestrictionPolicy enableWearablePolicy
Low usage
SettingsManager set/getBackupRestoreState
Low usage
SystemManager getToastGravityXOffset
Low usage

Also note the following:

  • Consolidated (One) SDK — API methods were deprecated due to redundancy across SDKs or low usage. For a full list of these API methods, see the Samsung Knox SDK Migration Guide.

  • Unification — API methods were deprecated due to overlap with Android Enterprise.

For more information ...

To learn more about the Knox SDK, check out these resources: