Samsung Knox extends Android Enterprise with additional device management capabilities through the Knox Service Plugin (KSP), an OEMConfig-based application. Understanding how these layers interact is important for avoiding policy conflicts.
Android Enterprise provides a standard set of management APIs that work across all certified Android devices. Samsung Knox adds Samsung-specific APIs on top, accessible through KSP.
When managing Samsung devices, an EMM typically applies:
KSP is deployed as a managed application with managed configurations. The EMM pushes a configuration profile to KSP, which then applies the Samsung-specific policies locally on the device.
Some policies exist in both Android Enterprise and KSP. If the same policy is set in both, the device may not apply them predictably. Common overlap areas include:
Best practice: set each policy in only one place. If a capability is available through both standard Android Enterprise and KSP, choose one and be consistent across your policy set.
KSP supports all Android Enterprise management modes: fully managed, dedicated, personally-owned work profile, and COPE (work profile on company-owned device). All modes require Android 9.0 with Knox 3.2.1 or later. Note that the COPE implementation changed significantly in Android 11 - for Android 9-10 this was "work profile on fully managed device", while Android 11 and later uses "work profile on company-owned device".
If KSP policies are not applying as expected:
verboseMode in the KSP managed configuration to see which policies are deployedFor more on OEMConfig generally, see What is OEMConfig?.