Knox Service Plug-in: Delivers Knox features faster to end customers while eliminating integration costs for UEM partners

Knox Service Plug-in: Delivers Knox features faster to end customers while eliminating integration costs for UEM partners

25 Jul 2019
By Prarthna Srivathsan

At MWC 2019, Samsung launched the Knox Service Plug-in (KSP Plug-In). The KSP Plug-In is a solution that enables customers to use Knox Platform for Enterprise (KPE) features as soon as they are commercially available, via their preferred UEM solution vendor. Knox Platform for Enterprise extends Android Enterprise by providing granular manageability, higher security, and enhanced productivity features on top of AE.

What is the KSP Plug-In?

KSP Plug-In is:

  • Based on OEMConfig, supports feedback channel
  • Provides zero-day support for Knox features

KSP Plug-In helps customers:

  • Rapidly deploy existing and new Knox Platform for Enterprise features to devices using a compatible UEM, as soon as Samsung launches them. Compatible UEM partners are ones who support OEMConfig.

KSP helps UEM partners:

  • Leverage their investments by building on Android’s managed configurations (AppConfig and OEMConfig) standard
  • Avoid the repeat development cost of supporting KPE features, while making sure customers get the latest and greatest features


How does it work?

Put simply, the Knox Service Plugin (KSP Plug-In) is an app published by Samsung on Google Play store. It has the necessary privileges to call the KPE APIs on mobile devices on behalf of the UEM agent that is managing the device or work profile.

Customer IT Admins use their compatible UEM console to:

  • Search for the KSP Plug-In app from a managed Google Play store
  • Set up policies in the form of managed configurations
  • Publish these policies to their managed devices

The KSP Plug-In app then applies the relevant Knox policies and returns the configuration result to the UEM console.

Currently, KSP Plug-In supports KPE features like Samsung DeX management, Knox VPN, device restrictions, RCS message control, device customization controls, Common Criteria mode, firewall and proxy, biometric authentication and multi-factor authentication control, and more. Samsung rolls out new features on a monthly basis.

ksp dev process

The KSP deployment process is as follows:

  1. The latest KSP Agent is published by Samsung to the Google Play store.
  2. IT Admins use their compatible UEM console (that supports a managed Google Play store) to search for KSP.
  3. The UEM Console renders the applicable Knox features and policies using OEM Config.
  4. IT Admins use the UEM console to set up policies in the form of Managed Configurations. These are then saved and published to their enterprises' managed devices.
  5. When a user's device is being provisioned, the UEM invokes the managed Google Play Store, which in turn installs KSP and pushes the managed configuration to the device.
  6. After installation is complete, KSP runs in the background on the device. KSP applies the relevant Knox policies and returns the result of the configuration process using Google's Feedback SDK.
  7. and 8. IT Admins can view any configuration failures and associated error messages on the UEM Console, provided the UEM is equipped to handle the result that KSP generates and sends back using the feedback SDK.


KSP Plug-In support

KSP Plug-In works on devices running Android Pie with Knox 3.2.1 and above. It supports Android Enterprise deployments in these modes:

  • Fully managed device (DO)
  • Work profile (PO)
  • Fully managed device with a work profile (COPE or COMP)

Samsung has worked with UEM partners to bring KSP support to our joint customers. Here is a quick look at the current status. Reach out to your UEM partner for more up-to-date information on availability across solution variants and versions.


KSP schema support

IBM MaaS360


SOTI MobiControl


MobileIron Cloud


Microsoft Intune







Coming soon


Learn more

For more details, head to our KSP Admin Guide, where you will find the following:

Developers wanting to learn how to provide zero-day configuration of new app features can head to our Managed Configurations Developer Guide