Samsung Knox integration for corporate Android app

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Samsung Knox integration for corporate Android app
Complex
~2-3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1054
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Integrating Samsung Knox for Corporate Android Apps

Samsung Knox—security technology stack embedded in hardware and firmware of Samsung devices. Not EMM platform, but API set atop Android available only on Samsung. For corporate app, Knox enables capabilities unavailable through standard Android Enterprise: hardware-isolated Keystore (Knox Vault), Dual Persona (personal + work mode without Work Profile), TIMA KeyStore, SIM and NetworkPolicy management below OS level.

Knox Vault: Hardware Key Protection

Knox Vault—isolated security processor physically separate from main ARM on Galaxy S21+ and Knox-certified devices. Private keys created in Knox Vault can't be extracted even with full Android OS compromise or physical flash memory analysis.

Access via standard Android Keystore API with additional flag:

val keyPairGenerator = KeyPairGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_EC,
    "AndroidKeyStore"
)

val parameterSpec = KeyGenParameterSpec.Builder(
    "corporate_signing_key",
    KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY
).apply {
    setDigests(KeyProperties.DIGEST_SHA256)
    setUserAuthenticationRequired(true)
    setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG)
    // Knox Vault used automatically if device supports StrongBox
    setIsStrongBoxBacked(true)
}.build()

keyPairGenerator.initialize(parameterSpec)
val keyPair = keyPairGenerator.generateKeyPair()

setIsStrongBoxBacked(true)—requires StrongBox-compatible HSM. On Samsung Galaxy S21+ this is Knox Vault. If device doesn't support StrongBox—throws StrongBoxUnavailableException. Handle: fallback to regular Android Keystore with logging to MDM.

Knox SDK: Extended Policy Management

Knox SDK (separate from standard DevicePolicyManager) provides API for:

  • APN and SIM policy management—corporate traffic via specific APN.
  • Device firewall rules—block specific IP/domains for app.
  • Kiosk Mode (Enhanced Kiosk)—Single App Mode with custom placeholder, can't exit even via notification shade.
  • Factory Reset Protection (FRP) bypass for corporate redeploy.
  • Knox Container management (Dual Persona)—separate Android instance in container.

Knox SDK requires Samsung Knox license:

// Initialize Knox with Enterprise license key
val licenseManager = KnoxEnterpriseLicenseManager.getInstance(context)
licenseManager.activateLicense(KNOX_LICENSE_KEY)

// Listener for activation result
val receiver = object : BroadcastReceiver() {
    override fun onReceive(context: Context, intent: Intent) {
        val status = intent.getIntExtra(KnoxEnterpriseLicenseManager.EXTRA_LICENSE_STATUS, -1)
        if (status == KnoxEnterpriseLicenseManager.ERROR_NONE) {
            initKnoxPolicies()
        }
    }
}
registerReceiver(receiver, IntentFilter(KnoxEnterpriseLicenseManager.ACTION_LICENSE_STATUS))

License per-device activated via Samsung Knox License Management Service (KLMS). For enterprise deploy, licenses issued in bulk via Samsung Knox Reseller Portal.

Per-app VPN via Knox VPN Framework

Knox VPN Framework allows per-app VPN without MDM profile—directly from app with Device Owner rights:

val vpnManager = EnterpriseDeviceManager.getInstance(context).vpnManager
val vpnProfile = KnoxVpnProfile().apply {
    profileName = "CorporateVPN"
    vpnType = KnoxVpnProfile.VpnType.IPSEC_HYBRID_RSA
    gatewayAddress = "vpn.corp.example.com"
    packageNames = listOf("com.company.app") // only our app
}
vpnManager.addVpnProfile(vpnProfile)
vpnManager.enableVpnProfile("CorporateVPN")

Difference from standard VpnService: Knox VPN set at SIM stack level; traffic tunneled before Android networking stack. Harder to bypass from device malware.

Samsung Knox Platform for Enterprise (KPE): Knox SDK Successor

Since 2021, Samsung recommends KPE instead of deprecated Knox SDK. KPE—unified API combining Knox EMM, Knox Customize, and device management:

// Get policy manager via KPE
val enterpriseDeviceManager = EnterpriseDeviceManager.getInstance(context)
val applicationPolicy = enterpriseDeviceManager.applicationPolicy

// Block specific app
applicationPolicy.addPackageToBlacklist("com.example.gaming_app")

// Force permissions
applicationPolicy.addPackageToWhitelistForPermission(
    "com.company.app",
    Manifest.permission.CAMERA
)

Knox Attestation: Device Integrity on Server

Knox Attestation lets server verify device isn't rooted and Knox status not compromised. Client requests nonce-based attestation report:

val attestationManager = KnoxAttestationManager.getInstance(context)
attestationManager.getAttestation(serverNonce) { report ->
    // Send report to server
    // Server verifies signature via Samsung Knox Attestation API
    sendAttestationToServer(report)
}

Server validates report via Samsung Knox Attestation REST API—verifies boot chain not compromised, knox_state = "ACTIVE", no root or FRP bypass signs.

Implementation Stages

Get Knox license → register app in Samsung Knox Portal → Knox SDK / KPE integration → Knox Vault for critical keys → policy setup (VPN, Kiosk, App Whitelist) → Knox Attestation for server verification → test on Knox-certified devices → deploy via Samsung Knox Mobile Enrollment.

Timeline: basic Knox Keystore integration—2–3 weeks. Full project with KPE policies, VPN, Attestation—6–10 weeks. Cost is calculated individually.