Setting up Samsung KNOX

Samsung KNOX is an enterprise mobile security solution for Samsung Android devices. It enables secure separation of personal and work content on a device. These features are largely the same as for all Android devices with Introduction to Android EMM (Android at Work), so the usefulness of Samsung KNOX has become limited. It is useful for legacy devices and has some additional features, which you can enable by configuring it for the devices.

The free KNOX Standard includes basic features and a commercial KNOX Premium more advanced features. Both versions require installing an ELM (Enterprise License Management) key to activate. The following settings are done system-wide by the system supervisor, but can in some cases be necessary for master or organisation manager:

• Set up a WSDM Client version that supports KNOX
  
• Set up an ELM (Enterprise License Management) key

To enable KNOX Premium in an organisation, you need to make the following setup tasks:

• Set up KLM (Knox License Manager) keys
  
• Create a device template for KNOX devices
  

The tasks are covered in the subsections below:

Setting Up WSDM Client and ELM Key (Supervisor tasks)

WSDM Client

A special version of the WSDM Client (technical term for the EMM client) is required for older Samsung devices. It can be set in the Configuration→Platforms view, in the Android (Samsung 4.1.x or older) tab.

The client is configured system-wide by the service supervisor. For organisation-level configuration, the system-wide default should be OK.

If you need to change the setting, you first need to configure the WSDM Client as an application in the service. This is normally a supervisor task.

1. Go to the Devices→Applications view.
   

   

   The actual client application depends on the vendor. 
2. Uncheck Hide system wide applications to be able to see the WSDM clients installed system-wide.
3. If the required WSDM client is not configured, click New to add it, as described in Applications.
4.  Go back to the Configuration→Platforms view
5. Uncheck Use system wide settings
6. Select the installed WSDM Client from the list
7. Click Save changes

ELM Key

Both versions require installing an ELM (Enterprise License Management) key to activate.  The WSDM client installed in a Samsung device will request the key from the EMM service and uses it to gain access to additional KNOX management APIs on the device.

The ELM key is specific to the WSDM client used and is usually set up system-wide by the service supervisor together with the WSDM Client. You only need to set it for an organisation if a custom version of the WSDM client is used.

You can set it for an organisation as follows:

1. Open the Configuration→Platforms view and select the Android tab
   

   

2. Uncheck Use system wide settings
3. Enter the Samsung ELM key
4. Click Save changes

KNOX Premium uses additional license keys (KLM keys) that have usage limits and can expire. The keys can be configured server-side in the Organisation→Organisation view in the KNOX tab, as described later.

Setting Up KNOX Premium for an Organisation

To enable KNOX Premium in an organisation, you need to:

• Set up KLM license keys
• Set up configuration types

These tasks are done in the Organisation→Organisation view, in the KNOX tab. They can be done by a master or organisation manager.

Setting Up KLM License Keys

To use KNOX Premium, KLM (Knox License Management) license keys need to be installed for the organisation. After that you can use them in device templates, as described later.

Install KNOX Premium license keys as follows:

1. Acquire a KNOX Premium KLM key with available activations. You can get them from Samsung at https://seap.samsung.com/enrollment
2. Log in as a manager or master to the organisation
3. Open the Organisation->Organisation view and select the KNOX tab
4. Press Add in the Licenses section and enter the details of your license.
   
   

   Name

   A descriptive name for the license key.

   License key

   As you acquired it from Samsung.

   Expiration

   The date when the license expires. The expiration date is used to dismiss licenses that have been expired already when selecting licenses.

   Quantity

   Number of licenses, which may be used in the future to warn when license activations have reached the limit.

5. Click Apply to save the license or Cancel to exit without saving

The licenses are now available for device configuration or templates, as described later.

Creating Configuration Types

Optionally, create a new configuration type in the same view. The Configuration type controls some of the features of a KNOX container when it is being created in the device.

1. Open the Organisation->Organisation view and select the KNOX tab
2. In the Configuration types section, click Add. The configuration type editor should open.
   
3. Fill in the fields. Hold your mouse cursor over the fields in the editor for additional information.
4. Click Apply to save the settings or Cancel to exit without saving

Device Template Settings

When using KNOX Premium, KNOX devices require their own device template that includes the KLM license keys for the organisation. The license keys must first be installed, as described previously.

The settings are normally first done in device templates when setting up the configuration for the organisation. Later, when you acquire new licenses or otherwise need to update the settings, they also need to be done for existing devices.

Setting the KNOX License Policy

Typically, you first purchase a license, which eventually expires or you have more devices. If you need more or need to extend the expiration period, you purchase new ones, thereby creating multiple and overlapping license pools for devices to use. For a particular device, only one KNOX license will be activated at a time. The license policy determines which license is preferred.

1. Depending on whether you are setting license policies for existing devices or device templates, either:
   1. Navigate to Devices→Templates and create a new template for KNOX Premium devices or edit an existing one, as described in Device Templates
   2. For existing devices, go to Devices→Inventory, select the devices, and click Edit
2. Open the KNOX license policy section
   
3. Select Policy enabled
4. Either select the preferred license or enable Use any license.
5. Click Save & close to exit at this point or proceed to set up the containers as described later

Creating Containers

1. Make sure that an EMM client app that supports KNOX container features is installed to the device.
2. Navigate to Devices->Templates
3. Create a new template for KNOX Premium devices or edit an existing one, as described in Device Templates
4. Open the KNOX containers section
   
5. Add a new container by clicking Add
6. Select the container and click Edit
7. Make wanted changes to the container editor's different sections.
   
8. You should at least change the container Name and select your Configuration type if you created one previously.
9. Most of the subsections in this editor are similar to the ones in the main device editor.
10. Once done, click Apply to save the container settings or Cancel to exit without saving
11. Click Save & close in the template editor to save the settings and exit

Note that if you want to delete a KNOX container from the device, you must remove it in this view.

Activating Device Settings

If the device profile is new, set it up normally with an installation code. During the activation procedure the user will be asked to accept Samsung's license policy twice (first for ELM, then for KLM).

If the devices are already set up:

1. Navigate to Devices→Inventory
2. Select the devices to which apply the settings, typically all Android devices
3. Click Execute on selected devices
4. Click Activate all device settings

This adds the task to the device's task queue, so that the client app will find and apply the changed policies. The user will be asked to accept the Samsung's license policies.