Samsung Knox extends Android Enterprise with additional device management capabilities through the Knox Service Plugin (KSP), an OEMConfig-based application. Understanding how these layers interact is important for avoiding policy conflicts.
Android Enterprise provides a standard set of management APIs that work across all certified Android devices. Samsung Knox adds Samsung-specific APIs on top, accessible through KSP.
When managing Samsung devices, an EMM typically applies:
KSP is deployed as a managed application with managed configurations. The EMM pushes a configuration profile to KSP, which then applies the Samsung-specific policies locally on the device.
Some policies exist in both Android Enterprise and KSP. If the same policy is set in both, the device may not apply them predictably. Common overlap areas include:
Best practice: set each policy in only one place. If a capability is available through both standard Android Enterprise and KSP, choose one and be consistent across your policy set.
KSP works with fully managed, dedicated, and personally-owned work profile devices. It does not apply to the COPE (work profile on company-owned device) management mode. If KSP policies are applied to a fully managed device and the device is later switched to COPE, previously applied KSP policies may persist unexpectedly.
If KSP policies are not applying as expected:
verboseMode in the KSP managed configuration to see which policies are deployedFor more on OEMConfig generally, see What is OEMConfig?.
Sources: