December 3, 2020

What's new in Knox 3.7

Samsung Knox Team

The latest Samsung Knox 3.7 release features Android 11, which offers both:

  • greater privacy to consumers using personal apps on company devices
  • sufficient controls to enterprise IT admins to protect corporate assets

The Knox 3.7 platform is built into the firmware of new Samsung flagship devices, and will be installed on existing devices following the release schedule of mobile service providers. Let’s dive into the new features!


Work profile on company-owned devices

As you may be aware, Android 10 introduced extensive changes to protect user privacy and give users more control over the personal data that apps could access. Android 11 further enhances privacy, on corporate devices that are enabled for personal use.

Specifically, Google has replaced the device management mode called fully managed device with work profile (also known as Corporate Owned Managed Profile or COMP) with work profile on company-owned device.

The UEM apps used by enterprises to manage their devices no longer have device owner privileges over the personal profile, but instead have elevated profile owner privileges to protect corporate assets in the personal side. For more about these changes, see Device management modes, Work profile on company-owned devices, Android policies in the personal side, and Knox policies in the personal side.


Separated apps

Some enterprises still need full (device owner) control over a device, while enabling users to install third-party business apps. For example, enterprises might need: password reset on the device, Mobile Threat Defense in user0, general visibility and control of DNS filtering, APN, and so on. In these scenarios, you can use Separated apps, which isolates third-party apps in a sandboxed folder. The third-party apps cannot intercommunicate with work apps or access confidential work data. See how to use the Knox Service Plugin to set up Separated apps.


Deep Settings Customization

This release expands the list of deep settings introduced with Knox 3.4, delivering options to configure the following Settings through the Knox Service Plugin.



Side key setting

The new Side key, which combines the Power and Bixby keys, can be configured for the events: double press and press-and-hold. The Side key can be also enabled or disabled.

APN change disabling

The change of the Preferred APN can now be disabled after an IT admin sets the APN settings.

Dual SIM management

Devices with dual SIMs can now configure preferred SIM cards for each call, SMS, and data. While the SIM manager is configured through deep settings, the e-sim menu will be disabled automatically.

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes for all the latest capabilities.


Lock screen enhancements

This release offers several customer-requested enhancements to the lock screen:




Admin lock on Knox license expiry

When a license is expires, the device or the profile is immediately admin locked from a security and management point of view.

The users can use the existing device or profile under the policies.

Admin lock on maximum failed passwords

The device is admin locked when a user fails 5 times (assuming the maximum failed password count is 5).

The profile (PO) will be admin locked or wiped instead of device locked when user fails 5 times.

Face unlock for work profile

Lack of face unlock to open a work profile.

Face authentication is allowed for the profile owner. To enable or disable this feature, use the existing API method setBiometricAuthenticationEnabled.

Advanced access control for work profile

Once a device owner unlocks their work profile, unauthorized users can easily access the data inside the profile at any time.

When a non-registered device user (who is not the owner) is detected, the profile is locked automatically base on face authentication. To enable or disable this feature, use the Knox Service Plugin.


Bug fixes and feature enhancements

The release fixes the following customer-reported bugs:




Ownership transfer for DPM

In the case of a profile owner, a work profile is removed when an IT admin tries to transfer ownership using the API method DPM.transferOwnership.

Ownership migration is now supported

Filter data traffic for tethering using Firewall

Samsung devices provide an enhance Knox firewall, but the policy does not affect tethered devices such as laptops and tablets.

The Knox firewall policy now includes tethered devices.

Ultra-wideband control

UWB was introduced with the Galaxy Note20 but IT admins could not control it.

New API methods allow UEM partners to add an enable/disable feature to consoles.


Keep exploring…

We encourage you to learn more about Knox.

If you're new to Knox, browse our White Paper Whitepaper Find out about the Knox Service Plugin, and how it delivers new features on the day of release Learn about our entire Knox Ecosystem, and how our services ease mobile deployments


We are already working on the next Knox platform release, and adding new features that will help you deliver the most compelling enterprise solutions. Stay tuned!