Knox Manage 25.07 release notes (original console)

New

Improved login flow

Previously, the Sign in to Admin Portal dialog let you sign in using your Samsung account or SSO. Starting with 25.07, instead of those sign-in methods, you can use the new Go to Knox Admin Portal button to access Knox Manage from Knox Admin Portal alongside your other Knox products. You can still use the Sign in with Knox Manage Account button to sign in directly to Knox Manage.

Support for Legacy Knox Manage license replacement

Starting with 25.07, existing Legacy Knox Manage (KLM09) licenses can be replaced with Knox Suite Essentials Plan (KLM12) licenses.

Device lock bypass for Android commands

Android devices can now receive device commands even after rebooting without having to unlock the device. Before 25.07, unlocking the device was mandatory to receive commands upon reboot.

Support for multi-SIM details

The Network tab on the Device Details page now features Multiple Enabled Profile (for Android 13 and higher only) and SIM Type fields to support multi-sim devices. Relevant values for each SIM appear under their own column under the Category field. Furthermore, all multi-SIM fields are included in the Device Details Information report query.

Support for app-based Ivanti Secure Access configuration

Previously, Ivanti Secure Access (formerly Pulse Secure) could only be configured using the VPN policy. However, Ivanti has switched to app-based managed configuration. Therefore, starting with 25.07, Ivanti VPN can only configured from Assign Application > Managed Configuration > Set Configuration for the Ivanti Secure Access Client app. Existing profile-based VPN configurations are still supported, but we strongly recommend transitioning to managed configurations for future compatibility.

P&D support for Wear OS devices

• Knox Manage now supports Pair & Detach (P&D) for Wear OS 6.0, including True Single SKU (TSS) flow.
• You can now conveniently search for watches that fail P&D enrollment using the Failed to P&D (Wear OS) search filter on the Device page. Matching devices also appear in the Device widget’s issue on the Dashboard.

Account-driven User Enrollment for Apple devices

As of iOS 18, Apple no longer supports Profile-based User Enrollment. Starting with Knox Manage 25.07, Account-driven User Enrollment is supported and preferred for devices running iOS or iPadOS 15 and higher. The Device Information tab on the Device Details page now features a User Enrollment Type field to indicate the type of User Enrollment that was used for a given device. Profile-based User Enrollment is only supported for devices running iOS or iPadOS versions 15-17, and is discouraged to ensure future compatibility.

Streamlined activation locking for iOS

Previously, iOS users had to sign in to iCloud and turn on Find My to allow Knox Manage admins to send device commands to enable or disable the activation lock. Starting with 25.07, device users don’t have to perform any actions — you can enable or disable the activation lock by device command alone.

New key-value types for iOS app configurations

In addition to values of String type, the Assign Application page now supports Boolean, Date, Integer, and Array types for Managed App Configuration.

Content folders in Knox Manage agent

You can now use the ⋮ menu in the Knox Manage agent to organize Content files into folders on the target device. Alternatively, you can use the existing file view.

Certificate-based authentication for MS Entra ID

Microsoft now requires certificate-based authentication to connect to users or devices from MS Entra ID.  This only applies to CA types using Network Device Enrollment Service (NDES) and Active Directory Certificate Services (ADCS). To comply with this requirement, the Add User and Add Connection pages in Knox Manage feature a new Microsoft User Security Identifier field. Moreover, the Add Certificate Template page lets you filter Certificate Usage records using a Microsoft User Security Identifier option, and also lets you save it as a SAN Type URL.

New Device Diagnostics Log page and commands

• For Android devices, the Device Log and Device Diagnosis Information device commands have been merged into the Collect Device Diagnostics Log command. In Device Details, both logs can be downloaded from the same popup (in addition to Collect Bug Report).
• Similarly, existing device logging commands for AMAPI, Wear OS, iOS, and macOS have been replaced or combined. Windows does not support device logging.
• Under History in the console navigation hierarchy, the Device Log menu has been renamed to Device Diagnostics Log. Clicking it opens the Device Diagnostics Log page, which lets you download and delete device logs, device diagnosis information, and bug reports.
• If you tap Send activity log in the Knox Manage agent for Android, device logs and device diagnosis information are simultaneously sent to Support.

Updates

Changes to license expiry behavior in Knox Manage agent

Starting with 25.07, Knox Manage agent for Wear OS, iOS, iPadOS, macOS, and AMAPI will no longer allow access to the Notices, Application Store, and Content menus if the Knox Manage license has expired. Instead, a License Expired popup will be shown.

Android Application command enhancements

Before 25.07, with one or more Android apps selected, you could only send Application device commands to Internal and Kiosk apps. Starting with this release, you can additionally send:

• The Install or Update App command to single or multiple Knox/Kiosk Browser apps
• The Run App command to multiple to Public, System, and Knox/Kiosk Browser apps
• The Uninstall App command to multiple to Public, System, and Knox/Kiosk Browser apps
• The Delete App Data command to multiple to Public, System, and Knox/Kiosk Browser apps

Furthermore, you can now search apps by app or package name on the Select Application page for any of the aforementioned commands. Previously, you could only search by app name.

Android security patch level added

The Device Information tab on the Device Details page now features an Android Security Patch Level field, which indicates the date corresponding to the security patch that is applied (supported for Android, AMAPI, and Wear OS). The field is also included in the Device Details Information report query, and can be looked up on the device by going to Settings > About phone > Software information or equivalent location (depending on the device type and OS version).

Miscellaneous enhancements for Android

• Knox Manage now officially supports Android 16.
• AMAPI devices now support multi-profile behavior. Previously, only the highest-priority profile got applied.
• The Remove eSIM upon factory reset option no longer appears in the Unenroll Device command dialog for personal devices using a work profile.
• Due to Android limitations, starting with Knox Manage 25.07 you can no longer change a kiosk’s status bar color on devices running Android 15 or higher. This applies to both new and existing kiosks that you are attempting to build or rebuild in the Kiosk Wizard.

Miscellaneous enhancements for Wear OS

Several key terms and messages in the Knox Manage agent UI have been updated for clarity. For example, Service Desk → Support and Activity Log → Diagnostics Log.

Miscellaneous enhancements for iOS

• The Factory Reset command dialog now shows a Remove eSIM upon factory reset option instead of an option to preserve the eSIM.
• Installation logic for the iOS Knox Manage agent has been improved, so that you don’t have to login to the App Store if the agent has been assigned as a VPP app.
• The App Block/Allowlist Settings policy has been improved to address WebClip policy configuration issues. Relevant details have been added to the tooltip of both policies. Supported for iOS 15 (Supervised) and higher.

Multi-tab support for Knox Browser

You can now view and interact with web pages across multiple tabs in Knox Browser. To open a list of existing tabs, click the tabs icon in the bottom-right (the number on the icon indicates how many tabs you have open). To open a new tab, click New Tab.

Report configuration enhancements

The Input Value field on the Add Report page, which lets you filter records by selected input fields, has been renamed to Filters for clarity and alignment with the Knox Manage new console. Furthermore, you can now add operators for a filter using a dropdown menu, allowing you to configure report conditions more efficiently.

Admin email address pre-population

While configuring Android Enterprise, if there is an existing administrator, then the administrator’s email address automatically pre-populates the Enter work email address field in the Google Admin Console during sign-up.

Other enhancements

• The Modify External Certificate page now lets you clear an existing password before setting a new one to ensure the previous password isn’t accidentally uploaded.
• While creating multiple Wi-Fi settings in a single profile, you can now use duplicate Wi-Fi SSIDs. This is supported for Android, Wear OS, iOS, iPadOS, macOS, and AMAPI profile configurations. Windows doesn’t support duplicate SSIDs.
• Sending Update User Information and Push Notification commands now ping the device, resulting in more frequent updates to the Last Seen property in a device’s connection status. Furthermore, Last Seen is now supported for AMAPI devices.
• Starting with 25.07, when a locked device leaves its geofencing area and then re-enters, it automatically unlocks.
• Kiosks built using the legacy Wrapping method are no longer supported. You will need to recreate them using the Launcher method with the Kiosk Wizard.
• Knox Manage now supports TLS 1.3 for improved network security and performance.
• The Safari web browser isn’t formally supported by Knox Manage. Starting with 25.07, you’ll get a relevant pop-up message if you open Knox Manage in Safari.

See also

• Knox Manage 25.07 developer release notes