Skip to main content
Matrix42 Self-Service Help Center

Android Enterprise VII: Knox Service Plugin

OEM Configuration

OEM Configuration is a new feature or a new paradigm of how the management of Android devices will evolve in the future. When we look back to the history of the Android Management it offered just a bunch of useful and enterprise ready controls and all manufacturers needed to find their own enterprise strategies and thus, their own management APIs. This kept all Enterprise Mobility Management solutions under action, to support different APIs for different manufacturers and different devices.

Within the new greatly working Android Enterprise Management platform, Google and device manufacturers are underlying new capabilities to create an easy adoptable device management. In a nutshell, device manufacturers will provide API management with separate applications, and you as an Administrator can configure these applications in Silverback through Managed Play and Android Enterprise. 

What is the benefit

  • You will participate from a zero day support for new features and functionalities, even without updating your management system
  • Manufacturers will update their applications and extend the management capabilities within the application
  • OEMConfig applications can run with privileged access, so you will have an extremely granular control management capabilities. 
  • Depending on your device fleet you will be able to enrol devices knowing every API that has been made for the device from day one.

How it works

  • The manufacturers develop their devices, the software and the relevant APIs over and above Android Enterprise
  • In tandem, the manufacturers creates their custom OEMConfig application to reference and interface the created APIs
  • The manufacturers uploads the OEMConfig application to Google Play with supporting managed app configs for all available APIs
  • You as an Administrators approves and imports the application into Silverback
  • Utilising managed app configurations, you immediately receives the latest version of OEMConfig and the APIs the manufacturer has added
  • You configure the managed app configs and distribute the applications to your device fleet
  • The OEMConfig application will retrieve the managed app configurations and will implement them on the device

Knox Service Plugin

The OEM Configuration for Samsung devices is based on the Knox Service Plugin:

20.0.1_rl_34.png

Knox Service Plugin is the specific OEM Configuration applications for Samsung Devices. You as an Administrator can use the Knox Service Plugin app to enable the so called Knox Platform for Enterprise policies on your managed devices. The application works on Android 8.0, and above for fully managed device deployments (device owner) , and with Android 9.0 and above for all deployment modes.

How to configure it

Basically you need to import the OEM Application into Silverback, add the application into a tag, configure the managed configuration and deploy it. 

  • Open your Silverback Management Console
  • Navigate to App Portal
    • Select your platform
      • Select SamsungSafe for Knox Service Plugin
    • Click New Application
    • Click the magnifier Icon next to Name
    • Enter the name of the desired your application
      • For SamsungSafe "Knox Service Plugin"
    • Press Enter
    • Select your application
    • Press Select
    • Change the Name to e.g. Knox Service Plugin  (optional)
    • Press Save
    • Confirm the requested permissions
  • Navigate to Tags
    • Click New Tag or use an existing one
      • Under Definition
        • Enter a Name, e.g. Knox Service Plugin
        • Enable Apps in Features
        • Enable SamsungSafe as device type
        • Press Save
    • Navigate to Apps
      • Press Assign More Apps
        • Select your Knox Service Plugin
        • Click Add Selected Apps
        • Press the Edit button for Manage Config
        • Click the Edit button at Edit managed configuration
    • Edit your Managed Configuration
      • Enter a Profile name
      • Enter your KPE Premium License Key (optional for Premium marked features)
      • Enable Debug Mode (for testing purpose) 
      • Configure additional policies and profiles
      • Press Save
    • Hand over to your device
      • Install your OEM Config Application
      • As Knox Service Plugin as an example the application will be installed and gets device administrator on the device
      • Additionally and due to Debug Mode the application will start in the foreground
        • Press Apply latest Security Policies

User Experience

The following screenshots demonstrate a manual installation of the Samsung Knox Service Plugin on the device with enabled debug options within the managed configuration.

For productive use we recommended to enable Automatically push to managed devices and disable debug mode. 

20.0.1_rl_22.png 20.0.1_rl_19.png 20.0.1_rl_20.png 20.0.1_rl_21.png
After configuring the Managed Configuration and assigning them to a device, you will a information in the App Configuration Profile After right click on the three dots of the App Configuration Profile you will find the information that the Samsung Knox Service Plugin (com.samsung.knox.kpu) has a managed configuration After clicking install you will be redirected to the Google Management Play. Press Install to download and install the application. After successful installation the application will start automatically due to the Enabled Debug mode. After the first start the application will start to check the policies. 
20.0.1_rl_23.png 20.0.1_rl_24.png 20.0.1_rl_25.png 20.0.1_rl_26.png
After a successful sync you will see the latest installed configuration. Click Apply Latest Policies to refresh policies (optional) By pressing the Configuration Profile you will gain more information about the provided overall device configuration.  By changing from Configuration results to Policies received you will find a higher level of configurations.   When you navigate into the Device admin apps sections on your device you will see that the Knox Service Plugin has been granted Administrative access on the device

Troubleshooting 

If you are facing any issues when using the Knox Service Plugin and applying policies to devices, you should be able to the issues highlighted in the Knox Service Plugin if the Debug Mode is enabled through the Managed Configuration. Typically any issues will be highlighted in red with a Error Code provided by the application. The following screenshot shows an example of a typical error message. 

ksp-error-message-example.png

The message shown in the screenshot has an example the ID 12005. When we look to the official documentation from Samsung, we see that the corresponding ID 12005 has the following description: 

Code Cause Message Resolution
12005 

Schema error

Missing key

[policy title] in [profile deployed] is not processed as it is missing in the input configuration. This is an information message. Please check your policy configurations and re-apply it again.

Error Codes 

If you receive any Error Code that is not listed here, please refer to the official Error Message overview in the Knox Documentation from Samsung

Code Cause Message Resolution

11000

Fatal error

Unknown

Fatal error occurred. An unknown error occurred while running the application. Contact Samsung if the problem persists and provide a device log.

Contact Knox Support if the problem persists and provide a device log.

11001

Fatal error

Unsupported OS

Fatal error occurred. Please upgrade device to Android version 8.0 or higher.

KSP is installed and executed on a unsupported OS version. This issue usually occurs if you are trying to create a DO container on an earlier version of Android that does not support DO profile creation. Update your device to Android Version 8.0 or higher.

11002

Fatal error

Unsupported OS

Fatal error occurred. Please upgrade device to Android 9.0 or higher to use this application within Work Profile.

The device you are using is running an unsupported OS version that does not support Profile Owner (PO) mode. Update your device to Android version 9.0 or higher.

1003

Fatal error

DO or PO missing

Fatal error occurred. [DO or PO] is not found.

The DO or PO agent is missing. Set up your devices with a DO or PO profile.

If you have already set up a DO or PO mode, ensure that your Android Enterprise deployment is set up correctly. If necessary, reset the device or delete the work profile and provision again. 

11004

Fatal error

User rejects DA

Fatal error occurred. User did not agree to activate Device Administration permission for the application.

The device user did not grant the Device Admin (DA) permission to control the device. This issue occurs on the DA activation screen, provided the screen is still supported in the app. Install or push the app on the device again and get the device user to accept the agreement.

12001

Schema error

Critical fields missing

Fatal error occurred. [field title] is missing. Please check your input configuration and try again.

The schema being pushed to a device needs to be checked again. Some mandatory fields may be missing. Check in your Silverback console that you entered all fields correctly or that none are left blank.  In such cases, fill in a default value for that field and re-apply the policy.

12002

Schema error

Newer version of schema

Fatal error occurred. Device is running an older version of application. Application will retry to apply the Knox policies after the next app update.

There are elements of the schema data that are not recognized by the KSP agent you are running. Update to the latest KSP agent and re-apply the policies. To avoid this error, enable automatic push to devices for the Knox Service Plugin

12003

Schema error

Unknown keys

Fatal error occurred. Unrecognized field [field title] found in the input data.

There are elements of the schema data that are not recognized by the KSP agent you are running. Check the values in the schema to make sure you have entered values that can be validated by KSP. For example, you may have entered an invalid character, such as a "%" or "$."

If you have not edited the field in question, contact us to confirm that we do not silently appending any characters to the field upon push.

12005

Schema error

Missing key

[policy title] in [profile deployed] is not processed as it is missing in the input configuration.

This is an information message. Please check your policy configurations and re-apply it again.

13001

License error

Invalid license key.

Invalid license key.

Check that you entered your license key correctly. Contact Samsung Knox Support if the problem persists and provide a device log.

13002

License error

License expired

License expired.

Your license has expired. Contact the entity you bought your license from your Knox Support or a Knox reseller

13003

License error

License quantity exhausted.

License quantity exhausted.

Your license key does not have any more valid seats to enroll another device. You can either unenroll a previous device to gain another seat, or contact a Knox reseller to buy more seats.

13004

License error

License terminated.

License terminated.

Your license key is terminated. Contact Samsung Knox Support to find out why.

13005

License error

Network error

License could not be activated due to network errors. Ensure device is connected to network and try again later.

Check your device mobile network or Wi-Fi. Ensure that there are no firewall issues blocking your device from contacting the Samsung Knox License servers.

13006

License error

Configuration error

The device time and date is incorrect. Set the correct time and date and try again.

Correct the device date and time setting. Preferably, set the value to automatic date and time that uses the time stamp from your mobile network.

13007

License error

Configuration error

Application binding is invalid. This license cannot be used with application [app name]

This issue occurs if the DPC is not registered with Samsung. Contact us or Samsung Knox Support to find out why.

13008

License error

Unknown

Unknown license error occurred. Please verify your license key and try again. Contact Samsung if problem persists.

Contact Samsung Knox Support if the problem persists.

13009

Permission error

Policy failed due to permission

Permission error occurred. Please check your license key has necessary privileges and try again.

Your license key does not have the correct permissions to apply a specific policy, or you are using different license altogether (for example, an outdated version of the license). Contact the entity you bought your license from–your supported Knox Support or a Knox reseller.

13010

License error

License not provided

This policy requires a KPE Premium License. Please provide a valid license key and try again.

Check that your premium license was activated by the entity you bought your license from– your supported Knox Support or a Knox reseller.

15001

-

Failed to disable some applications for D ex.

This issue may happen if the DeX app is not found on the device—due to a wrong package name—or if it is not installed on the device. To fix the issue, verify that package name is correct or remove it from the list until after it is installed on the device.

15002

Application Catalog

Duplicate app defined in the Application Catalog. Please verify the nick names and packages listed in the app catalog.

Open the App Portal and check for apps that have duplicate nicknames or packages.

15003

Package name is incorrect

Unrecognized application packages. Please enter valid package name in the format and try again.

The package name has a specific format you must follow. For example, instead of inserting "com.app.package", the value "myapp" was used. Application package name should conform to Android package rules.

14001

Policy error

Policy not supported - individual key

[policy title] in [profile deployed] is not supported by this device

The policy you are trying to push is not supported on your device due to the version of Knox it is running. Check what version of Knox you need for the particular feature you are trying to use. You may need to upgrade Knox or use a different device.

14002

Info
message


Policy not supported - at group level

[policy title] in [profile deployed] is not supported by this device

The policy you are trying to push is not supported on your device due to the version of Knox it is running. Check what version of Knox you need for the particular feature you are trying to use. You may need to upgrade Knox or use a different device.

Status message

Success

[policy title] in [profile deployed] successfully processed.

(example: "VPN Policy in Device policies" or "Biometric authentication in Work profile policies")

No action needed. This is a generic success message for all policies

Status message

Conditional (partial) success

[policy title] in [profile deployed] processed with errors.

(example: "VPN Policy in Device policies" or "Biometric authentication in Work profile policies")

Generic message shown when some part of a policy was successful but another part of the policy has errors. For example when one of the DeX policies failed but others are successful. Check the specific policy that is causing the error. You can try to push that policy on its own, to see if it throws a more specific error message.

Status message

Policy failed

[policy title] in [profile deployed] failed.

Generic message shown when a given policy failed. Check your configuration values and network settings and try to push the policy again. Contact Samsung Knox Support if the problem persists and provide a device log.

Status message

Failed

Fatal error occurred.

No action needed. This is a specific prefix for all fatal errors.

Status message

Profile name

Knox policies in [profile name] successfully processed

No action needed. This is the general success message shown when this profileName is empty and no fatal errors happen—for example, if the IT admin did not enter any profile name.

Status message

License key

No license activated

No action needed. This is a general success message shown when the kpePremiumLicenseKey field is empty and no license errors happen— for example, the IT admin did not provide a license key.

Status message

License key

Successfully activated license key ending with ......O3E5"

(Shows masked license with last 4 numerals only. For example, "...O3E5")

No action needed. This is a general success message provided when the kpePremiumLicenseKey is not empty and no license errors happen— for example, the IT admin provided a valid license key.

Status message

DeX Disable packages

0 applications disabled for DeX

No action needed. This is a general success message shown when the DeX field is empty and no apps are disabled.

Status message

DeX Disable packages

[app name] applications disabled for DeX

No action needed. This is a general success message shown when the when the DeX field is not empty and all apps are disabled without errors.

  • Was this article helpful?