Samsung Knox provides a Generic VPN Framework, in which third party VPN vendors can integrate their client applications to allow them to be configured via a common set of MDM controls, and connections managed automatically by the framework.
Administrators can then create Knox VPN profiles for these VPN clients via compatible MDM solutions.
Samsung devices incorporate an enhanced built-in VPN client based on Strongswan. In same manner as with Knox Generic VPN Framework compatible third-party VPN clients, Administrators can configure a Knox Generic VPN profile for the built-in Strongswan based VPN client using a compatible MDM.
In order to achieve this, the Android VPN Management for Knox application must be distributed to all end user devices that are to have a Knox Generic VPN profile configured for the built-in device client by the MDM.
1. Download the Android VPN Management for Knox application from the Knox web portal
2. Deploy the Android VPN Management for Knox application to your enterprise devices via the MDM. This process may vary depending on your MDM vendor. For more information contact their support.
3. Configure the Knox Generic VPN Profile for the built-in device VPN client (also known as Strongswan) in your MDM.
The following example is for Samsung SDS On-Premise EMM:
1. Create a new ‘Device Management Profile’ and add either an ‘Android Settings’ (for VPN outside Knox Container) or ‘Knox Settings’ (for Knox Workspace Container VPN) profile, and choose the ‘Generic VPN’ Category.
2. Select ‘Strongswan’ for the ‘VPN Vendor Name’. This will automatically populate the ‘VPN client vendor package name’ with the correct package name (com.samsung.sVpn).
3. Then configure the VPN Profile:
- VPNroute type should remain as ‘per-app VPN’
- Configure the Server Address and any required User Authentication details (note IPSec IKEV2 options do not support User Authentication configuration)
- Configure the Connection Type, for example ‘IPSec IKEV2 RSA’, and the associated Keys, IKE Identifiers or Certificates.
4. Choose the connection method to be ‘Keep On’ (Always-on type behaviour, where the connection is automatically established at system startup), or ‘On Demand’ (Connection is automatically established only when the associated applications are launched). In both cases, the Knox VPN Framework automatically manages the connection, and only allows application network connectivity when the VPN connection has been established.
5. Finally, choose ‘VPN route type by application’ to be either ‘By Application’ (and subsequently add the specific package names the VPN is applied to), or ‘All Packages’ for the given area the profile is being configured for (inside or outside the Knox Workspace Container).
- Note, the SDS On-Premise EMM supports an option called ‘Wide VPN’ for Knox Generic VPN profiles for ‘Strongswan’, when ‘All Packages’ is selected. When this is set to ‘use’, the VPN profile is applied to all packages both inside and outside the Knox Workspace Container.
Note that the configuration process and naming of configuration options may vary between MDM vendors.
Also note, that it is pre-requisite of the built-in device VPN client that a Device Lock Screen method is configure, such as PIN or Password. This can manually be configured by the user or enforced by the Administrator via the MDM (preferred).