Samsung Knox Manage v21.9 Release Notes


19 October 2021

This Knox Manage v21.9 release scheduled to go live on September 1st, 2021 includes several improvements and enhancements to existing features and functionality.


The following features constitute the highlights of this release:

  1. Integration with KCS's MSP
  2. Enhancements to MDM device security
  3. Use Azure AD SSO in KM direct login
  4. Bulk enrollment for Windows 10 devices
  5. MGP application enhancements
  6. Shared device enhancements

Knox Service Integration

MSP Integration

Starting with this release, Knox Manage (KM) is now included as one of the services available from within Knox Cloud Service's (KCS) Managed Service Provider (MSP). This integration with the KCS common services allows a unified customer management experience, so that KM now works within the same framework as other Knox services such as Knox Portal and Knox License. KM users have a Samsung Account like all other KCS components, but does not have its own Samsung admin portal. This change means that user application approval happens within the Knox portal.

alt text img

The following KM functionality is available from within MSP:

  • Add KM Customer — MSP can add a new Knox Manage customer from within the MSP portal. When adding a new customer, the MSP can provide all necessary and mandatory KM information such as customer ID, organizational information, and any other information needed to onboard the customer. By default, when adding a new customer, the customer's access permissions are set to No access, meaning the customer cannot access the KCS portal and is fully managed by the MSP. The MSP can change this permission to Full access, meaning the customer can access the KCS portal and is jointly managed by the MSP.

    alt text img

  • KM SSO login from the MSP console — Users of the MSP portal can now access the KM portal with their single sign-on login credentials. To access the KM portal, go to left hand navigation menu > Customers > List of customers > click Active to open the KM portal in a new browser tab.

    alt text img

  • Change customer access permissions — MSP users can also change the access permissions for KM customers from within the MSP portal. Note that MSP cannot change the access permission for a Full access customer into a No access customer. Once the access permissions are changed, the customer receives an email notification with details about the change as well as complete Knox portal registration information that they can use to log in to the MSP portal.

    alt text img

  • KM MSP delink — Fully managed customers who have access to the MSP portal and jointly manage their account can also request to revoke the access rights of the MSP to their account. This request is known as a delink MSP request. Once the request is accepted, the MSP does not have access to the customer's account.

    alt text img

  • Migrate existing KM tenants — MSPs can also migrate existing KM customers to the MSP portal.

    alt text img

  • KM notifications on MSP console — Any notifications set up for customer accounts on KM are also shown on the MSP portal, including but not limited to: expired licenses, add new administrators, or add a new KM customer tenant. To view these notifications, on the MSP portal's left navigation menu, go to the Dashboard.

    alt text img

  • View KM and Knox Services license usage — MSPs can also view details of the Knox Manage and Knox services' license usage, such as:
    • Purchased seats
    • Remaining seats
    • Used seats of KM or KS
    • License key information

    alt text img

Azure AD SSO in KM Direct Login

Going forward, KM users can now use their Knox Cloud Services' (KCS) Azure AD single sign-on login to log in to Knox Manage. For more information about how to log in to KCS portals, including KM, using Azure AD SSO, see Sign in with Azure AD.

alt text img

Windows 10 - Bulk enrollment

With this release, KM now supports bulk enrollment of Windows 10 devices based on provisioning packages (PPKG). The process includes the following stages:

  • Create PPKG
  • Deliver PPKG
  • Install PPKG
  • Install and Enroll KM Client

Depending upon the purpose and specific customer needs, the IT admin can choose to assign one of three user types. The following image describes these three types:

alt text img

Assign users

Assign a default user

To assign a user, do as follows:

  1. In the KM Admin portal, go to Device Enrollment > Windows > Enrollment Setting > scroll to the User Assign section.

    alt text img

  2. Specify whether the user is a default user or not by selecting a value for the Using Default User field:
    • Yes — Choose this option if you want to assign this user as a default user for all appropriate devices.
    • No — Choose this option if you do not want to assign this user as a default user.
  3. Specify a value for the User ID field by clicking Select. On the dialog that opens, scroll to select the appropriate user ID.
  4. Click Save to save your changes.

Assign bulk users

Bulk assignment of users is available as an option before you can assign a default user. To assign users in bulk, do as follows:

NOTE — Before you can use automatic assignment on devices, you must set the device name to the serial number.
  1. In the KM Admin portal, go to Device Enrollment > Windows > Device Management > click Bulk Assign User.

    alt text img

  2. In the Bulk Assign Users dialog that opens, click Download Template to download an Excel file that you can customize to include the appropriate user and device information. Ensure that the file you create has Digital Rights Management (DRM) disabled.
    NOTE — Before you upload this Excel file, add the User ID you want to assign to the KM admin portal.
  3. Click alt text img to select the appropriate file.
  4. Click OK to upload the file to the KM admin portal.

Assign a single user

You can assign a single user to each device after you've installed PPKG and enrolled the device in KM. To assign a single user to a device, do as follows:

NOTE — You can only assign a user to a device that is active and does not currently have a user assigned.
  1. In the KM Admin portal, go to Device Enrollment > Windows > Device Management > scroll to the device to which you want to assign a user, and click the checkbox to select the device and then click Assign User.

    alt text img

  2. In the Select User dialog that opens, click the User Name for the user you want to assign to the device.
  3. Click OK to assign the user to the selected device.

Create PPKG

You can create the PPKG using the Windows Configuration Designer (WCD) tool.

alt text img

To create the PPKG do as follows:

  1. Download and install the Windows Configuration Designer tool from the Microsoft website. For information on how to install the WCD tool, see Microsoft documentation > Install the Windows Configuration Designer.
  2. Use the PPKG information found on the KM admin portal to create the PPKG file. You can find this information on the KM admin portal on the Device Enrollment > > Windows > > Enrollment Setting > on the Bulk Enrollment page go to the Provisioning Package Reference section.

Deliver, enroll, and install the PPKG

Once you create the PPKG, you can deliver it to your users either using a USB flash or another external drive, network drive, or as an email attachment. The device user then installs the PPKG file to their device from the Windows Settings > Access work or school > Add or Remove a provisioning package > Add a package.

alt text img

After the device users install the PPKG files on their devices, the Knox Manage client is automatically installed on the device and the device is enrolled to the KM admin portal.

Android Enterprise

MGP Application Track Support

With this release, KM includes the Application Track feature that supports the pre-release, closed testing of Managed Google Play applications. Once you create and release a custom, closed version of the MGP application in the Google Play Console, you can then assign this version to a group or organization in the KM admin console.

alt text img

To assign this version in the KM admin console, go to the Application menu, choose the apps you need, and then click Assign.

Cross-profile application support

This release introduces a new cross-profile application support feature. If the same application exists in both the personal as well as the Work profiles, these two versions of the application can connect and access each other's data.

alt text img

NOTE — This feature is only available if the application is added as a connected app with the INTERACT_ACROSS_PROFILES permission.

To connect the two versions of the app, on the target device open Device Settings > Special access > Connected personal and work apps > enable for the appropriate app.

MGP app force update support

IT admins can now push updates for MGP apps to target devices. To push the updates to devices, the devices must meet the following criteria:

  • Connected to Wi-Fi
  • Plugged in and charging
  • Unused and idle
  • Not have the specified application running in the foreground

alt text img

In cases where devices do not meet these criteria, IT admins can push the update to the device at special intervals. When the update is pushed to the device, the app (if running on the device at the time) is terminated before the update is installed.

Chrome browser settings in MGP web app assignments

A prerequisite for MGP web is the assignment of the Chrome browser on the target device. In cases where the device already has the Chrome browser app assigned to it, IT admins can choose to not assign the Chrome browser again when assigning a new MGP web app. For such devices, when assigning a new, additional MGP web app, IT admin can set the Chrome App Assignment field's value to No.

alt text img

ICCID value support in Managed Configuration

When setting up Managed Configurations for applications, a new field Integrated Circuit Card Identification Number (ICCID) is now available. ICCID is also added to the Open API's Get Device Detail screen.

alt text img

Shared device improvements

This release adds the following enhancements to the Shared Device feature.

  • Secondary device information — The information available about secondary devices attached to the Shared Device is now available on the appropriate Group, Organization, Application, Profile, or Content Details pages. This information may include details such as whether the user is checked-in or checked-out and the staging username of the secondary user of the device.
  • Send a device command to a secondary user — The IT admin can now send a device command to the secondary user of a device.

    alt text img

    To send the device command, go to the User or Group menu > Device Command.
  • Staging device improvements — The Device List no longer includes information about the staging device's Profile not applied issue.

    alt text img

    Also, the staging device's name is now shown on the secondary user's device screen as well.

    alt text img

iOS - add iPadOS support

Until this release, iOS 12 or lower was supported on all iPhone and iPad devices. Starting with this release, KM officially supports the new iPadOS for devices running iPadOS 13 or higher. The same details applicable to iOS devices also apply to devices running the new iPadOS.

alt text img

Reporting improvements

Until KM v21.7, you could only enter search criteria for a report after the entire search results were shown. Going forward, when viewing a report, you are required to enter search conditions before you can view results of the search function. This way, you are shown results that meet your requirements without needing to weed through unnecessary information.

alt text img

Other enhancements and improvements

The following enhancements and improvements are included in this release:

  • Support for Polish language — This release adds support for the Polish language on the KM admin console as well as the KM agent.

    alt text img

  • Add Device Commands for Service Admin — This release adds a new delete app data command for service admins. To access this option go to the Modify Administrator screen > Delete App Data.

    alt text img

  • New OpenAPIs — The following new OpenAPIs are included:


    Method Path Parameter New response

    Get tags by device ID





    Update device tags



    deviceId, tags


    Get device details




    isRoaming, iccid, subscriberMcc, subscriberMncNa, currentMcc, currentMncName

  • Deleted devices list — You can now export the deleted devices list into .csv format and download it like other reports.

    alt text img

  • Advanced search options for devices — The following new advanced search options are now available: OS version, Model name, and Firmware version.
    NOTE — The OS version and model name list is shown based on the device pool of the tenant.

    alt text img

  • Chromebook device management — Allow Chromebook management and setup through Knox Manage. IT admins can set up Browser, Network, and Printer settings on Chromebook devices. They can also specify settings such as allow or disallow screen capture, using SSO, location tracking, and so on. However, Chrome OS management is currently available only as early access to pre-approved users. Contact for approval. General availability will be announced separately in the near future.

3 Strategies to Reduce Telecom Cost