August 27, 2019

What's new in Knox 3.4?

Samsung Knox News

On the heels of the big Samsung Galaxy Note 10 reveal, we are proud to introduce Samsung Knox 3.4, which further extends our leadership in advanced mobile security, innovative usability, and comprehensive device manageability.

The Knox 3.4 platform is built into the firmware of the new Samsung Galaxy Note 10. Other devices such as the Galaxy S10 will receive firmware updates with Knox 3.4, pending the release schedule of each mobile service provider.


New features



Knox 3.4 includes enhancements to Dual Data-at-Rest (DualDAR) encryption, which was introduced with Knox 3.3. With this enhancement, DualDAR provides improvements to security, stabilization, and performance.

  • Zero Day Support: IT admins are now empowered to use DualDAR features the moment they're released. Through the Knox Service Plugin (KSP) and Knox Mobile Enrollment (KME), IT admins can now create DualDAR workspace containers and configure policies, before UEM providers include customized DualDAR support through their web consoles. For more, see the Release Notes for KSP and KME.
  • Device Encrypted Storage : To enhance app stabilization, work apps can now write to DE storage by default. DE storage is available both during Direct Boot mode and after the user has unlocked the device. The default value for the configurable parameter DE restriction in the DualDARPolicy class is now set to false. To restrict writes to DE storage, you must create a package allowlist and set the value for DE restriction to true.

For additional information on new DualDAR features included in the Knox 3.4 release, see DualDAR UEM integration. For information on how to implement a custom solution to leverage control over your security, see the new DualDAR ISV integration.



Samsung is extending its device attestation solution to improve the way we check for devices that are rooted or running unofficial firmware.

With this Knox 3.4 release, we are launching Attestation v3, which provides these features:

  • Better correlation of results: Through the use of the Samsung Attestation Key (SAK), which is unique with every device.
  • Better device status diagnostics: Through enhancements to our server-side validation check logic.

For details, see Attestation (v3), the new EnhancedAttestationPolicy class, and v3 REST API.


Deep settings customization

Samsung already provides extensive Knox SDK APIs to configure a wide range of features on our mobile devices. To enable rapid, zero-day adoption of the new features, you can also use the Knox Service Plugin.

You can customize device settings such as:

  • Location tracking
  • Wi-Fi and NFC control
  • Status bar notifications
  • Biometrics and security

For more information about:

  • How enterprises IT admins can configure new device features using the Knox Service Plugin, see the Admin Guide.
  • How developers can add the Knox Service Plugin to their web consoles, see the Developer Guide.


DeX management

The Knox 3.4 release includes new DeX customization features made available through the Knox Service Plugin. You can:

  • Hide certain app icons.
  • Customize the DeX Panel.
  • Turn the Suggested Apps on or off.
  • Turn the Mouse Cursor Flow on or off.
  • Turn the Keyboard toolbar and Predictive text on or off.
  • Skip the DeX welcome screen.
  • Hide the Samsung DeX launcher icon from the quick panel.

See how enterprises can use the Knox Service Plugin to customize DeX by browsing the Admin Guide and how developers can deploy the Knox Service Plugin, by checking out the Developer Guide. For info about all other DeX features, which can be configured through the Knox SDK, see Samsung DeX and Knox and the DeXManager class.


Custom tab names

Knox 3.2.1 originally introduced a tab-based UI for Personal and Workspace apps.

With Knox 3.4, IT admins can now customize the names of the Personal and Workspace tabs.

Developers can support this feature using the Knox SDK API setCustomResource. This displays custom text in the tabbed view in place of the default Personal and Workspace labels. To learn more, see Custom tab names.


APN Mobile Virtual Network Operator

Starting from Android 9.0 (Pie), some carriers or SIM cards need the APN Mobile Virtual Network Operator (MVNO) to be configured.

With Knox 3.4, you can use ApnSettings to configure the MVNO type and value for a device. For devices with Android 9.0 but Knox 3.3 or earlier, you can use reflection to set these values. For details, see Access Point Name.

Deprecated features



The Knox VPN SDK was designed for VPN service providers, to create apps that can handle requests to set up VPN tunnels through their proprietary infrastructure. The Knox VPN SDK has already been merged into the Knox SDK v3.3, through the package With the Knox SDK v3.4, the Knox VPN SDK is obsolete and all VPN SDK functionality must be accessed through the Knox SDK. This change provides these key benefits:

  • simplifies the development workflow for developers
  • further strengthens the capabilities of the Knox SDK
  • simplifies the licensing flow required to use the VPN APIs. Going forward, all VPN APIs are activated with the same license key as the Knox SDK – the Knox Platform for Enterprise key

If you are using the Knox VPN SDK, you need to update your apps or services to reflect this change. You do not have to update any API packages, classes, or methods, as these remain the same. You do need to import the Knox SDK library and change the old namespace (com.sec.vpn.knox) to the new namespace ( For general information about updating an app to use the Knox SDK v3.x, see the Migration Guide. For details related to VPN apps, see VPN namespace changes.


Knox Workspace containers

We are continuing to harmonize Knox Platform for Enterprise (KPE) and Android Enterprise (AE) features to simplify your deployment of solutions across all Android devices.

To this end, we are deprecating the Corporate Liable (CL) mode of the Knox Workspace on the Note 10 and later devices. The Corporate Liable mode will however continue to work on S10 and earlier devices, even if they are upgraded to Knox 3.4.

Instead, use either of these AE use models:

  • Work Managed Device (as a DO) and Work Profile (as a PO). This replaces the Corporate Liable mode.
  • Work Managed Device (as a DO). This replaces the Container Only Mode (COM) that was deprecated in Knox 3.3.

You can still activate a KPE license to enable KPE Premium permissions to use advanced Knox features on these devices. see the Tutorial: Apply Knox features to work profile.