Deploying the Knox Service Plugin (KSP) as an Internally-Managed Application

Feb 11, 2020
Nishant Gandhi


Senior Consultant, End User Computing, VMware

Share This Post On

The Knox Service Plugin (KSP) allows enterprise customers to use Knox Platform for Enterprise (KPE) features as soon as they are available. IT admins no longer have to wait until their UEM integrates the latest features—KSP enables admins to rollout Knox features directly after they launch.

For more information, see the Knox Service Plugin Admin Guide.

With Workspace ONE UEM 1907 and later, you can use application configurations to configure the KSP when it is pushed as a public application using App & Books in the Workspace ONE UEM console. However, certain use cases may require KSP to be pushed as an internally-managed application. In this scenario, you must push a profile containing the XML file to configure the KSP application. This blog post provides steps to extract the app configuration and create the XML file for any application.

Important: The KSP app must be present on the device before the KSP configuration is installed. To achieve this order of operations, use product provisioning and create a dependency within the KSP app configuration to push the application product first.

Use Knox Service Plugin as an internally-managed application

To leverage KSP as an internally-managed application, you must perform the following steps:

1. Extract the xml file

2. Create the XML file to be published as part of the custom settings profile

3. Apply the KSP app configuration to the device

The first step is to extract the restrictions.xml file to get a list of the key-value pairs required to create the XML file.

1. Download the windows wrapper script and save the file as bat. Then, download the apktool.

2. Copy both files into a folder (name it APKTool) in C:\Documents.

3. Navigate to Environment Variables (This PC > Properties > Advanced System Settings).

4. Select the system variable for the JAVA path and click Edit.

5. Add a new path that points to the folder containing the APK tool files.

6. Run the command apktool d <APK Name> using command prompt.


The next step is to build the XML file.

1. The previous command extracts the APK files to the Current Location\<APK Name> (C:\KSP).

Open the xml located in C:\<App Name>\res\xml.

2. Find the parameter that you want to configure and the corresponding key-value pair.

3. KSP follows a nested configuration. After you have added the parameter, for example, profileDexCustomization, then find the parent parameter under which it is nested. Note the restrictionType (see yellow highlighted values in screenshot) because you must create XML tags to form the nested XML file.


The final step is to create an Android device profile and apply the KSP app configuration to the device.

1. In the Workspace ONE UEM console, create an Android device profile (Devices > Profiles & Resources > Profiles > Add).

2. Add a Custom Settings payload and paste the XML that was built.

3. Save and Publish the profile to be pushed to assigned devices.


Check out more resources in the Understand Android Management Activity Path on Digital Workspace Tech Zone. This activity path contains curated assets to help you level-up your knowledge in the arena of Android Management.


Tech Zone

468 ad