Mar 29, 2017 by Samsung Knox News

Deprecated Knox features with the Galaxy S8 (Knox 2.8) release


The Samsung Knox team is continually introducing new and improved features, in response to customer feedback and market trends. This is to help you leverage the latest emerging technologies, enhance productivity, meet the strictest security requirements, and avoid security exploits. At the same time, we are reviewing our existing portfolio to avoid over-complicating our offerings and ensure we have a tight feature set that lets us move into the future in an agile and efficient way.

Occasionally, we need to deprecate features. We realize that this can have a non-trivial impact to our partners and customers, so this blog post will help guide you through the changes and your options. It describes the features we’re now obsoleting, why we’re obsoleting them, our recommendations to those partners and customers who are now using the deprecated features, and where you can get self-help and support. The deprecated features are:

  • Mocana VPN
  • Generic SSO framework
  • Phone as SmartCard (PASC)

Please read on for the details about each feature. Before you do though, remember that you can also:

  • discuss questions or issues through the SEAP developer forum
  • get expert technical support. This is for registered SEAP partners only. If you signed up with SEAP as a developer, you can upgrade to partner if you are a registered business with a market-ready solution.
  • just contact the SEAP team if you have a basic question

Note that once a feature is deprecated, we will still support it (for example, troubleshoot an issue related to it) indefinitely.

Deprecated Features:

Mocana VPN

We introduced support for the Mocana VPN network four years ago, so that enterprises can secure private data while it’s in transit over the Internet as well as at rest while in a Knox container. Our contract with Mocana, however ends on August 30, 2017. Currently, we support seven different enterprise VPN solutions and have decided to streamline these options to optimize our operational efficiencies.

If you currently use the Mocana VPN network with your Knox container, your setup will work as usual. But, we can’t guarantee that it will work with future Samsung devices or Knox platform upgrades. If you expect to upgrade your devices or device firmware (and therefore the Knox platform version), you might consider alternative VPN solutions. We will support you in switching to new VPN solutions.

Other VPN solutions supported by the Knox container are:

  • Cisco Anyconnect 
  • Juniper Pulse Secure  
  • F5 BIG-IP Edge client
  • BlackBerry Secure Connect Plus
  • NetMotion Mobility
  • Oceus Networks VPN (Mocana Compatible)
  • Android StrongSwan

Next steps - If you are an MDM vendor currently using our Knox Premium SDK to offer the Mocana VPN services to your enterprise customers, we recommend that you notify your enterprise customers that the Mocana option is being deprecated, and help those using this option to switch to one of the other VPN options listed above. On your MDM console, you should either remove the Mocana option or flag it as being deprecated by August 30, 2017.

Generic SSO framework

The Knox platform supports several Single Sign On (SSO) solutions. The Generic SSO framework was an architectural model that replaced proprietary API calls to enterprise Identity Providers (IdPs like CATech, MS Azure, and Centrify) with a generic set of API calls. This was meant to reduce app fragmentation and let ISVs use the same app and generic API calls to request SSO authentication from a variety of Identity Providers. Due to low usage however, we will be deprecating the Generic SSO framework.

We do however still provide our original Kerberos-based SSO SDK. Introduced with Samsung Knox v2.0, you can use this SDK to authenticate app users through an enterprise Active Directory, using the authentication specification Kerberos or SAML. For more info about this SDK, see the Knox SSO SDK.

Enterprises currently using the Generic SSO framework will find that their authentication works as usual. But, we can’t guarantee that it will work with future Samsung devices or Knox platform upgrades. If you expect to upgrade your devices or device firmware (and therefore the Knox platform version), you might consider using the Kerberos SSO SDK. We will support you in switching to the Kerberos solution.


Next steps - If you are an:

  • ISV using our Generic SSO SDK for ISVs, switch to the Samsung SSO SDK (Kerberos). For more info about this SDK, see the Knox SSO SDK.
  • MDM vendor using our Knox Standard or Premium SDK to provision SSO services through the Generic SSO framework, we recommend that you stop the Generic SSO framework and consider the Samsung SSO SDK (Kerberos).

Phone As a Smart Card (PASC)

This is another feature meant to authentic users, by encoding Personal Identification Verification (PIV, v1) data into a mobile device, turning it into a virtual Smart Card. PIV is used by employees to unlock their PCs, access secure email on a mobile device, and access secure facilities. Microsoft however stopped supporting PC unlock through NFC, from Windows 8 onwards.

If you currently use this PASC feature, your setup will work with Windows 8 or earlier and current Samsung devices. If you expect to upgrade Windows, your Samsung devices, or device firmware (and therefore the Knox platform version), you might consider alternative ways to secure access to PCs.


Next steps:  If you are an MDM vendor currently using our Knox Premium SDK to encode PIV data onto Samsung devices, we recommend that you notify your customers that this PASC feature is being deprecated on the Knox platform, and help those using this option to switch to another PC authentication method.