3 Replies Latest reply on Feb 7, 2019 6:54 AM by EllisShale

    Android Enterprise and Samsung Knox Container

    EllisShale Lurker
      We're currently running on the latest Airwatch (on premise) version 1811 and trying to test out a COPE device with a combination of Knox Containers and Android Enterprise. However no matter what we do the phone always builds as a standard Android Work Profile device. The Airwatch summary shows as No Container, our licence key is valid and we have turned off the 'container' option so that Android Enterprise profiles will work with Knox. We have a passcode policy coming down but it seems to be ignoring the knox specific options like allowing iris and fingerprint etc. The container just defaults to the one passcode sign-in

      Has anyone got any idea where we're going wrong/what we might be missing, it's getting quite frustrating.
        • 1. Re: Android Enterprise and Samsung Knox Container
          HerrRalfBoehr Novice
          Hi Ellis, which type of profiles are deployed, Android or Android Legacy? You have to use Android Legacy to configure Knox. The cope mode only works with work managed mode in combination with work profile mode and Android Enterprise. We have the same requirements, it works with Android Legacy Profiles and a valid Knox license without any problems.
          Best regards, Ralf
          • 2. Re: Android Enterprise and Samsung Knox Container
            EllisShale Lurker

            Thanks for the reply Ralf. We're deploying Android profiles (trying to avoid Android legacy for a move to Android Pie). I thought the 1811 update sorted that issue, in the release notes it mentions that you can use Knox containers just by having a licence active (without the enable containers option checked) and that would make it possible to use a Knox container with Android Enterprise and avoids using Android Legacy profiles.


            'You can now enable Knox for Android devices without using Android Legacy settings.
            Under Intelligent Hub Settings the Knox license key field is no longer dependent on the Enable Containers setting. This means you can enter a Knox license key, without turning on Enable Containers (which only applies to Android Legacy). If Enable Containers is checked and Android EMM Registration is configured, this turns on Knox Play for Work (Android legacy enrollment mode).'


            I might understand that incorrectly, i'm a bit lost and confused with the whole thing at the moment.


             


            Whenever we build a device using this it builds and then asks us to accept the Samsung EULA in the notifications. You tap on that and it just seems to re-load up HUB and the notification stays there. Confusing as hell!

            • 3. Re: Android Enterprise and Samsung Knox Container
              HerrRalfBoehr Novice
              Hi Ellis,
              Android legacy profiles are working fine with Android Pie on S9 devices with KPE (Knox platform for enterprise premium, formerly known as Knox Workspace). We had exactly the same problem. To use the licensed Knox premium features i had to enable the container in the Knox payload of the Hub settings. But this is working only with Android legacy profiles and Workspace One 18.11.0.6 . Using Android profiles and disabling the container you'll get Android Enterprise working with cope mode, depending on enrollment settings. On Samsung devices the work managed section (container) is configured as Knox platform for enterprise Standard. But this is only a subset of the premium features. https://docs.samsungknox.com/knox-platform-for-enterprise/admin-guide/knox-platform-for-enterprise-overview.htm
              https://docs.samsungknox.com/whitepapers/knox-platform/samsung-knox.htm
              It's really very confusing as hell.
              • 4. Re: Android Enterprise and Samsung Knox Container
                EllisShale Lurker
                Wow that's a LOT of brand names. Thanks Ralf super appreciate the breakdown and good to know that the Legacy stuff is still working on Pie (my org wouldn't let me get a device running Pie for testing).
                You've saved us a massive headache with understanding all the jargon etc. Really appreciate the explanation.

                Thanks again, Ellis