Details

Table of Contents: Introduction – Knox platform for enterpriseKnox license keysKnox Mobile EnrollmentKnox Service PluginKnox-specific features/capabilities built into UEM License activation, passcode enforcementEFOTA (firmware management) On Premise and Closed Network considerations Knox Platform for Enterprise Intro Samsung Knox Platform for Enterprise (KPE), part of the Knox Suite, is an ecosystem of features and tools layered on top of Android for increased manageability and control of Samsung devices. KPE provides capabilities such as government-grade security, firmware management, and granular device controls.Learn more about Knox Platform for Enterprise. Knox License Keys To take advantage of KPE, a license activation is required on each device. Workspace ONE Intelligent Hub for Android automatically activates a standard license in most cases. Below is an overview of the different types of keys, uses, and method of activation: License Key TypeHow it's activatedKPE Standard KeyWorkspace ONE Intelligent Hub for Android activates this key automatically for devices with external internet access. For devices running on a closed network, please go to section 6.KPE Premium KeyCustomers obtain this key directly from Samsung and add it to their tenant in the Workspace ONE UEM console, under Settings > Devices & Users > Android > Intelligent Hub Settings > Samsung Knox. During enrollment, Hub will retrieve this key and activate it automatically. There may be a user prompt during activation of this key depending on the OS version. For devices running on a closed network, please go to section 6.Backward Compatible Key (BCK)Workspace ONE Intelligent Hub activates the BCK automatically. For devices running on a closed network, please go to section 6. Additional Knox License Key Considerations:Knox License Keys have expiration dates. If you are using your own KPE Premium key, please ensure it is renewed, or removed, prior to expiration to avoid losing critical functionality or disrupting users.Renewals: Simply replace the existing license key in the Workspace ONE UEM console. Workspace ONE Intelligent Hub will automatically activate the new license key.If you have a custom Knox license key and a custom URL that points to an activation server, use the following format to properly configure the device to activate the Knox License Key:Format: KLM#customurl.com,BCKExample: KLM09-aaaaa-bbbbb-ccccc-ddddd#myactivationserver.com,BCK12-11111-22222-33333-44444If you no longer need the Samsung Knox license, you can clear the Knox License Key in the Android Hub Settings page by adding a placeholder value, such as 1111. Clearing the key prevents error messages resulting from invalid or inactive keys being accessed by Hub. Note: Clearing the key for existing devices may cause older devices to lock indefinitely which then requires a factory reset of the device. Use caution when clearing the Knox License Key field. Knox Mobile Enrollment In addition to the standard Android Enterprise enrollment methods, Samsung devices also offer Knox Mobile Enrollment, or KME. KME is a method of out-of-box, automated enrollment, which is similar to Android Zero Touch enrollment, but has additional capabilities and is supported in more regions globally. KME is a free tool and simplifies large-scale device deployments.Configuring KME:Navigate to the Samsung Knox Admin Portal, and go to Knox Mobile Enrollment from the left panel:Under Knox Mobile Enrollment > Devices, you will see a list of devices uploaded by your device reseller. If you do not see any devices, please contact your reseller or Samsung for assistance.Alternatively, you can add devices to your account using the Knox Deployment application. Note that two devices are required for this method.Create a profileA profile contains the information required for device enrollment. Go to KME > Profiles and click Create Profile. Then select your preferred Android Enterprise enrollment option. Note that Device Administrator enrollment is not supported by Workspace ONE UEM.Under Pick your EMM, select VMware Workspace ONE UEM. The EMM Agent APK field will be filled in automatically. Only modify this field if you are hosting the APK file yourself.The EMM server URI is the UEM environment where the device is enrolling into. (I.e. https://cn123.uemserver.com).On the next page, in the Custom JSON Data field, make sure to include the enrollment Group ID in the following format:{"groupid":"mygroup"}Fill out any other options as needed and click Create. The new profile should be available in the Profiles list.Next, under Devices, select the device(s) you wish to configure for enrollment, and choose Actions > Configure devices. Select the appropriate profile, and include the User ID and Password for a fully automated enrollment. Leave the User ID and Password blank if you would prefer to prompt the user to enter their credentials during enrollment.Additionally, you can provide staging user credentials to get devices enrolled or set up as shared devices before handing them off to end users, where they will then enter their own credentials. This is compatible with single-user staging or multi-user staging for shared devices using check-in/check-out functionality.Device EnrollmentFor new devices, the enrollment will take place automatically after connecting to the internet. The user will need to follow the simple prompts to complete enrollment. If credentials were not provided in the device configuration, then the user will need to authenticate into Workspace ONE Intelligent Hub when prompted.For devices that are already set up, they will need to be factory reset and set up from scratch to perform Knox Mobile Enrollment.If enrolled devices get factory reset, they will simply enroll again during the OOB setup. Knox Service Plugin Knox Service Plugin, or KSP, is an OEMconfig application from Samsung which allows admins to configure nearly all Knox features for devices in any Android Enterprise enrollment mode with zero-day support. This means that new capabilities from Samsung which are added to KSP do not require any updates to Workspace ONE Intelligent Hub or UEM to get access.How to configure KSP: In Workspace ONE UEM, navigate to Resources > Apps > Native > PublicClick Add ApplicationSelect Android and Search App Store. Under Name, type “Knox Service Plugin”Add and approve Knox Service PluginDuring the App Assignment flow, choose Application Configuration on the left From here, you will be able to view and configure all of the settings available in KSP.Notes: Typically, the Knox License Key field should be left blank, since Workspace ONE UEM offers a built-in way of activating Knox License KeysKnox Service Plugin is a hidden app by default, meaning users will not see it on their device. To make the app icon appear, as well as being able to view and troubleshoot KSP logs on the device, Enable Debug Mode.Most of the top-level configurations available correspond with settings within the Device-Wide Policies or the Work Profile Policies. They typically need to be enabled in both sections. Once KSP is configured and assigned to devices, it will be installed and apply settings automatically from Google Play. For further information and troubleshooting tips, please refer to the OEMconfig documentation.For more information about Knox Service Plugin, visit the following links: KSP admin guide: https://docs.samsungknox.com/admin/knox- service-plugin/welcome.htm KSP on Google Play: https://play.google.com/store/apps/details?id=com.samsung.android.knox.kpu Additional Features There are several capabilities integrated directly into the Workspace ONE UEM product to provide a more seamless experience on Samsung devices: Dedicated profiles: When creating an Android profile, enable OEM Settings, and select Samsung. An additional set of Samsung-specific profiles will be revealed.Please note that KSP should be used whenever possible to configure Samsung settings. A future release of Workspace ONE UEM may remove these profiles in favor of KSP. License Activation Workspace ONE UEM will handle the activation of Knox license keys, including both KSP Standard and KSP Premium keys. See Section 2 for more information. Password enforcement: When a passcode profile is applied on a Samsung device during enrollment, the user will be forced to create the passcode. They will not be able to exit the passcode creation screen until a compliant passcode is configured. Note for Work Profile and COPE enrollments, a KSP Premium key is required for this feature. Workspace ONE Assist: The Assist solution uses Knox APIs for screen capture and control. A Knox license is required but is activated automatically by the Assist application. Knox EFOTAKnox EFOTA, or Enterprise Firmware Over the Air, is a solution to manage how and when devices receive firmware updates and security patches. Knox EFOTA connects to Workspace ONE UEM via REST API to retrieve device information and allows admins to configure updates within the Knox EFOTA console. For more information on EFOTA, visit https://docs.samsungknox.com/admin/efota-one/before-you-start-vmware.htm Closed Network Considerations Samsung devices running on closed networks will need several on-premise applications to be set up depending on what tools you plan to use. Visit the Closed Network Guide for more information.