What’s new in Knox 3.6

What’s new in Knox 3.6

12 Aug 2020
By Wendy Lee

The newly launched Samsung Galaxy Note20 and Note20 Ultra provide many cool and compelling features for enterprises adapting to new ways of working. Embedded in these Note20s is the new Samsung Knox 3.6 platform, which extends Samsung's commitment to help you customize and secure enterprise devices and lead through differentiated solutions.

As with past releases, new Knox features are offered through either the:

  • Knox Service Plugin (KSP), which provides new features on the day of release to IT admins, or
  • Knox SDK, which provides more powerful programmatic control to developers creating app solutions

Let’s find out more about the new Knox 3.6 features!


XCover Pro hardware keys

Get the most out of the new ruggedized Samsung XCover devices by customizing the XCover and top hardware keys. The latest version of the Knox Service Plugin lets you:

  • Set up short or long key presses to launch selected device apps
  • Disable hardware key options in a device's Android Settings menu

For more information, see the latest KSP release notes or the KSP policy schema.


Deep Settings Customization

This release expands the list of deep settings introduced with Knox 3.4, delivering options to configure the following settings through the Knox Service Plugin.



Customize through


Wi-Fi Direct

Allows two devices to establish a direct, peer-to-peer Wi-Fi connection without requiring a wireless router.

Device Restrictions

Allow / Do not allow

Keyboard language shortcut

Allows virtual keyboard shortcuts to change the keyboard language.

Configure values in settings menu

On / Off / Use specific value / Allow user to modify setting / Hide setting

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities. Coming soon: Deep settings to manage Picture-in-Picture and DeX monitor resolution.


DeX foreground app

Samsung DeX in dual mode increases mobile productivity, letting you use a device while presenting separately on an external display. You can now check if an app is in the foreground while in dual mode. One use case for this is in a banking scenario, where a banking customer is using a tablet and a bank employee is using the connected monitor to access an internal banking app. An app can now determine if it is currently in focus or not, and customize actions available to the app user.

Use the Knox SDK to check the focus state:

  1. Monitor the focus of an app's package with ApplicationPolicy.addPackagesToFocusMonitoringList().
  2. Inspect the ACTION_APPLICATION_FOCUS_CHANGE intent when a focus change occurs for that package.
  3. Extract the new EXTRA_APPLICATION_FOCUS_DEX_MODE field from the intent. The value is true if the app is in focus.

For more about using the Knox SDK to control DeX features, see Samsung DeX and Knox.


Quick Panel display of Daily Board

Through the Knox SDK, you can control what appears on a device's Quick Panel, which is shown when you swipe down from the top of the screen. With this Knox 3.6 release, you can show or hide the button used to configure the Daily Board, which tablets can use while charging to display the time, weather, calendar events, and photos. For security reasons, you can prevent users from enabling or configuring the Daily Board through the Quick Panel. Use the following API constant:

For more about how to show or hide this button, see SystemManager.setQuickPanelButtons.


Knox VPN in work profiles

The Android VPN Management for Knox Strongswan app extends the capabilities of the built-in Android VPN client, which provides only basic configuration as seen in the Android Settings app. The Knox app enables many more advanced Knox VPN capabilities on Samsung Knox devices.

Previously, the Android VPN Management for Knox Strongswan app supported only Device Owner (DO) mode. Knox 3.6 now supports Profile Owner (PO) mode, enabling the same advanced Knox VPN capabilities from within a work profile. When installed inside a work profile, the new Knox app (v3.0.5) accesses an end-user/CA certificate inside the PO keystore to secure data transmission from within the work profile.

NOTE — The new Knox app is backwards compatible with devices running earlier, pre-3.6 versions of Knox.

To deploy the new Android VPN Management for Knox Strongswan app in a work profile:

  1. Log in to Knox Partner Portal > Dashboard > Download.
  2. Download the new Android VPN Management for Knox Strongswan APK.
  3. Configure a UEM profile to push and deploy the APK in a work profile.

For more info about the advanced Knox VPN capabilities, see the Knox White Paper.


Certificate authentication for USB-tethered laptops

With Knox 3.5, Samsung Knox devices could extend a VPN tunnel to a laptop connected through USB. This provided laptop users with the ability to access internal enterprise resources using our defense-grade mobile VPN network. In addition to providing convenience when laptops do not have network connectivity, this offers company cost savings by removing the need to buy additional VPN licenses for laptops.

Knox 3.6 enhances this feature with even better security and control. In terms of security, there is a new app that enables Samsung Knox devices to verify that a laptop is owned by the device user. When the user connects a laptop to a Samsung Knox device via USB, the app validates the user certificate on the laptop with allowed certificates identified by the IT admin for the device.

To deploy the new app to authenticate connected laptops:

  1. Log in to Knox Partner Portal > Dashboard > Download.
  2. Download the new USB Tethering Authentication for VPN APK.
  3. Configure a UEM profile to push and deploy the APK to devices.
  4. Identify the certificates of laptops allowed to connect via USB to each device for VPN access.

NOTE — The APK provided on the Knox Partner Portal supports only Samsung One UI flagship devices such as the Galaxy S/A/J and Tab S/A. We also have One UI Core devices such as the A21, Tab A7, M51, M31s, and A12. To deploy USB-tethered VPNs on a One UI Core device, please contact us to get another APK that uses a different Samsung platform signing key.

The Knox SDK v3.6 provides the following new API methods and constants to control USB-tethered VPNs:

For additional information about configuring VPN profiles, see About Knox VPNs.


Firewall based on network types

Samsung Knox already provides granular control over firewalls on Samsung Knox devices. You can allow or prevent devices from sending or receiving data using specific IP addresses, port numbers, port locations, app identities, network interfaces (mobile, Wi-Fi), directions, or protocols.

With Knox 3.6, you can now also configure firewalls based on UNIX network interface names, for example, wlan0, wlan+, eth0, eth+. Use the following API methods:

For more information about defining firewalls, see Firewalls.


Deprecated APIs

This release deprecates the following API methods and constants:

See also the complete list of Deprecated API methods.


Keep exploring…

We encourage you to learn more about Knox.

We are already working on the next Knox platform release, and adding new features that will help you deliver the most compelling enterprise solutions. Stay tuned!