19 October 2021
This Knox Manage v21.9 release scheduled to go live on September 1st, 2021 includes several improvements and enhancements to existing features and functionality.
Highlights
The following features constitute the highlights of this release:
- Integration with KCS's MSP
- Enhancements to MDM device security
- Use Azure AD SSO in KM direct login
- Bulk enrollment for Windows 10 devices
- MGP application enhancements
- Shared device enhancements
Knox Service Integration
MSP Integration
Starting with this release, Knox Manage (KM) is now included as one of the services available from within Knox Cloud Service's (KCS) Managed Service Provider (MSP). This integration with the KCS common services allows a unified customer management experience, so that KM now works within the same framework as other Knox services such as Knox Portal and Knox License. KM users have a Samsung Account like all other KCS components, but does not have its own Samsung admin portal. This change means that user application approval happens within the Knox portal.
The following KM functionality is available from within MSP:
- Add KM Customer — MSP can add a new Knox Manage customer from within the MSP portal. When adding a new customer, the MSP can provide all necessary and mandatory KM information such as customer ID, organizational information, and any other information needed to onboard the customer. By default, when adding a new customer, the customer's access permissions are set to No access, meaning the customer cannot access the KCS portal and is fully managed by the MSP. The MSP can change this permission to Full access, meaning the customer can access the KCS portal and is jointly managed by the MSP.
- KM SSO login from the MSP console — Users of the MSP portal can now access the KM portal with their single sign-on login credentials. To access the KM portal, go to left hand navigation menu > Customers > List of customers > click Active to open the KM portal in a new browser tab.
- Change customer access permissions — MSP users can also change the access permissions for KM customers from within the MSP portal. Note that MSP cannot change the access permission for a Full access customer into a No access customer. Once the access permissions are changed, the customer receives an email notification with details about the change as well as complete Knox portal registration information that they can use to log in to the MSP portal.
- KM MSP delink — Fully managed customers who have access to the MSP portal and jointly manage their account can also request to revoke the access rights of the MSP to their account. This request is known as a delink MSP request. Once the request is accepted, the MSP does not have access to the customer's account.
- Migrate existing KM tenants — MSPs can also migrate existing KM customers to the MSP portal.
- KM notifications on MSP console — Any notifications set up for customer accounts on KM are also shown on the MSP portal, including but not limited to: expired licenses, add new administrators, or add a new KM customer tenant. To view these notifications, on the MSP portal's left navigation menu, go to the Dashboard.
- View KM and Knox Services license usage — MSPs can also view details of the Knox Manage and Knox services' license usage, such as:
- Purchased seats
- Remaining seats
- Used seats of KM or KS
- License key information
Azure AD SSO in KM Direct Login
Going forward, KM users can now use their Knox Cloud Services' (KCS) Azure AD single sign-on login to log in to Knox Manage. For more information about how to log in to KCS portals, including KM, using Azure AD SSO, see Sign in with Azure AD.
Windows 10 - Bulk enrollment
With this release, KM now supports bulk enrollment of Windows 10 devices based on provisioning packages (PPKG). The process includes the following stages:
- Create PPKG
- Deliver PPKG
- Install PPKG
- Install and Enroll KM Client
Depending upon the purpose and specific customer needs, the IT admin can choose to assign one of three user types. The following image describes these three types:
Assign users
Assign a default user
To assign a user, do as follows:
- In the KM Admin portal, go to Device Enrollment > Windows > Enrollment Setting > scroll to the User Assign section.
- Specify whether the user is a default user or not by selecting a value for the Using Default User field:
- Yes — Choose this option if you want to assign this user as a default user for all appropriate devices.
- No — Choose this option if you do not want to assign this user as a default user.
- Specify a value for the User ID field by clicking Select. On the dialog that opens, scroll to select the appropriate user ID.
- Click Save to save your changes.
Assign bulk users
Bulk assignment of users is available as an option before you can assign a default user. To assign users in bulk, do as follows:
- In the KM Admin portal, go to Device Enrollment > Windows > Device Management > click Bulk Assign User.
- In the Bulk Assign Users dialog that opens, click Download Template to download an Excel file that you can customize to include the appropriate user and device information. Ensure that the file you create has Digital Rights Management (DRM) disabled.
NOTE — Before you upload this Excel file, add the User ID you want to assign to the KM admin portal.
- Click to select the appropriate file.
- Click OK to upload the file to the KM admin portal.
Assign a single user
You can assign a single user to each device after you've installed PPKG and enrolled the device in KM. To assign a single user to a device, do as follows:
- In the KM Admin portal, go to Device Enrollment > Windows > Device Management > scroll to the device to which you want to assign a user, and click the checkbox to select the device and then click Assign User.
- In the Select User dialog that opens, click the User Name for the user you want to assign to the device.
- Click OK to assign the user to the selected device.
Create PPKG
You can create the PPKG using the Windows Configuration Designer (WCD) tool.
To create the PPKG do as follows:
- Download and install the Windows Configuration Designer tool from the Microsoft website. For information on how to install the WCD tool, see Microsoft documentation > Install the Windows Configuration Designer.
- Use the PPKG information found on the KM admin portal to create the PPKG file. You can find this information on the KM admin portal on the Device Enrollment > > Windows > > Enrollment Setting > on the Bulk Enrollment page go to the Provisioning Package Reference section.
Deliver, enroll, and install the PPKG
Once you create the PPKG, you can deliver it to your users either using a USB flash or another external drive, network drive, or as an email attachment. The device user then installs the PPKG file to their device from the Windows Settings > Access work or school > Add or Remove a provisioning package > Add a package.
After the device users install the PPKG files on their devices, the Knox Manage client is automatically installed on the device and the device is enrolled to the KM admin portal.
Android Enterprise
MGP Application Track Support
With this release, KM includes the Application Track feature that supports the pre-release, closed testing of Managed Google Play applications. Once you create and release a custom, closed version of the MGP application in the Google Play Console, you can then assign this version to a group or organization in the KM admin console.
To assign this version in the KM admin console, go to the Application menu, choose the apps you need, and then click Assign.
Cross-profile application support
This release introduces a new cross-profile application support feature. If the same application exists in both the personal as well as the Work profiles, these two versions of the application can connect and access each other's data.
INTERACT_ACROSS_PROFILES
permission.To connect the two versions of the app, on the target device open Device Settings > Special access > Connected personal and work apps > enable for the appropriate app.
MGP app force update support
IT admins can now push updates for MGP apps to target devices. To push the updates to devices, the devices must meet the following criteria:
- Connected to Wi-Fi
- Plugged in and charging
- Unused and idle
- Not have the specified application running in the foreground
In cases where devices do not meet these criteria, IT admins can push the update to the device at special intervals. When the update is pushed to the device, the app (if running on the device at the time) is terminated before the update is installed.
Chrome browser settings in MGP web app assignments
A prerequisite for MGP web is the assignment of the Chrome browser on the target device. In cases where the device already has the Chrome browser app assigned to it, IT admins can choose to not assign the Chrome browser again when assigning a new MGP web app. For such devices, when assigning a new, additional MGP web app, IT admin can set the Chrome App Assignment field's value to No.
ICCID value support in Managed Configuration
When setting up Managed Configurations for applications, a new field Integrated Circuit Card Identification Number (ICCID) is now available. ICCID is also added to the Open API's Get Device Detail screen.
Shared device improvements
This release adds the following enhancements to the Shared Device feature.
- Secondary device information — The information available about secondary devices attached to the Shared Device is now available on the appropriate Group, Organization, Application, Profile, or Content Details pages. This information may include details such as whether the user is checked-in or checked-out and the staging username of the secondary user of the device.
- Send a device command to a secondary user — The IT admin can now send a device command to the secondary user of a device. To send the device command, go to the User or Group menu > Device Command.
- Staging device improvements — The Device List no longer includes information about the staging device's Profile not applied issue.
Also, the staging device's name is now shown on the secondary user's device screen as well.
iOS - add iPadOS support
Until this release, iOS 12 or lower was supported on all iPhone and iPad devices. Starting with this release, KM officially supports the new iPadOS for devices running iPadOS 13 or higher. The same details applicable to iOS devices also apply to devices running the new iPadOS.
Reporting improvements
Until KM v21.7, you could only enter search criteria for a report after the entire search results were shown. Going forward, when viewing a report, you are required to enter search conditions before you can view results of the search function. This way, you are shown results that meet your requirements without needing to weed through unnecessary information.
Other enhancements and improvements
The following enhancements and improvements are included in this release:
- Support for Polish language — This release adds support for the Polish language on the KM admin console as well as the KM agent.
- Add Device Commands for Service Admin — This release adds a new delete app data command for service admins. To access this option go to the Modify Administrator screen > Delete App Data.
- New OpenAPIs — The following new OpenAPIs are included:
PurposeMethod Path Parameter New response Get tags by device ID
POST
/emm/oapi/device/selectDeviceTagsByDeviceId
deviceId
Update device tags
POST
/emm/oapi/device/updateDeviceTags
deviceId, tags
Get device details
POST
/emm/oapi/device/selectDeviceInfo
deviceId
isRoaming, iccid, subscriberMcc, subscriberMncNa, currentMcc, currentMncName
- Deleted devices list — You can now export the deleted devices list into .csv format and download it like other reports.
- Advanced search options for devices — The following new advanced search options are now available: OS version, Model name, and Firmware version.
NOTE — The OS version and model name list is shown based on the device pool of the tenant.
- Chromebook device management — Allow Chromebook management and setup through Knox Manage. IT admins can set up Browser, Network, and Printer settings on Chromebook devices. They can also specify settings such as allow or disallow screen capture, using SSO, location tracking, and so on. However, Chrome OS management is currently available only as early access to pre-approved users. Contact knoxmanage@samsung.com for approval. General availability will be announced separately in the near future.
Latest from the Blog
3 Strategies to Reduce Telecom Cost