Citrix Endpoint Management


Samsung offers several solutions that are compatible with Citrix Endpoint Management.

  • Endpoint Management supports and extends Samsung Knox policies on compatible Samsung devices.
  • The Knox Service plug-in (KSP) is an app that supports a subset of Knox Platform for Enterprise (KPE) features. For information from Samsung about KPE, see Configure Knox Platform for Enterprise and Overview.

To control how and when Android devices connect to the Endpoint Management service, use Firebase Cloud Messaging (FCM). For information, see Firebase Cloud Messaging.

Enrollment profiles determine whether Android devices enroll in MAM, MDM, or MDM+MAM, with the option for users to opt out of MDM. Endpoint Management supports the following authentication types for Android devices enrolled in MDM+MAM. For information, see the following articles:

Another rarely used authentication method is client certificate plus security token. For information, see

A general workflow for starting Android device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Deploy Samsung license keys.

  4. Enable Knox attestation.

  5. Configure Samsung device policies.

  6. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for Android devices:

Method Supported
Bulk enrollment Yes (Knox)
Manual enrollment Yes
Enrollment invitations Yes

You can use Knox Mobile Enrollment to enroll multiple Knox devices into Endpoint Management (or any mobile device manager) without manually configuring each device. For information, see Samsung Knox bulk enrollment.

For information about enrolling devices, see Enroll Android devices.

Deploy Samsung license keys

Samsung has Enterprise License Management (ELM) keys and Knox License Management (KLM) keys. You purchase Samsung licenses from Samsung.

  • Knox: The Knox platform requires that you purchase a Knox Workspace license. To enable the Knox APIs and deploy Knox policies and restrictions to devices, first configure the Endpoint Management device policy, Samsung MDM license key. To activate Knox, you must push at least one Restriction device policy specifically for Knox along with the ELM and KLMS key.

  • SAFE: Deploy the built-in Samsung ELM key to a device before deploying SAFE policies and restrictions. To deploy that key, configure the Endpoint Management device policy, Samsung MDM license key.

Enable Knox attestation

You can configure Endpoint Management to query the Knox attestation server REST APIs.

Knox applies hardware security capabilities that provide multiple levels of protection for the operating system and applications. One level of this security resides at the platform through attestation. An attestation server provides verification of the mobile device core system software (for example, the boot loaders and kernel). The verification occurs at runtime based on data collected during a trusted boot.

  1. In the Endpoint Management web console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Click Samsung Knox.

    The Knox page

  3. Set Enable Samsung Knox attestation to Yes to enable Knox attestation. The default is No.

  4. In the Web service URL list, do one of the following:

    • Click the appropriate attestation server.

    • Click Add new and then enter the Web service URL.

  5. Click Test Connection to verify the connection. A success or failure message appears.

  6. Click Save.

Configure Samsung device policies

Device policies for Knox:

App Restrictions App Uninstall Browser
Copy Apps to Samsung Container Exchange Knox Platform for Enterprise key
Passcode Restrictions Samsung MDM License key

Device policies for Samsung SAFE:

App Uninstall Restrictions Browser Exchange
Firewall Kiosk Knox Platform for Enterprise
OS update Restrictions Samsung MDM License key
Storage Encryption VPN  

Security actions

Android supports the following security actions. For a description of each security action, see Security actions.

App Lock App Wipe Certificate Renewal
Full Wipe Locate Lock
Lock and Reset Password Notify Revoke
Selective Wipe    


For devices running Android 6.0 and greater, the Locate security action requires the user to grant Location permission during enrollment. The user can opt not to grant Location permissions. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permissions when sending the Locate command.

Add the Knox service plug-in app

If you plan on using Android Enterprise with Knox, add the Knox service plug-in to Endpoint Management. The KSP app uses AndroidOEMConfig to support features such as security policies, flexible VPN configuration, and biometric authentication controls. AndroidOEMConfig enables OEMs and endpoint mobility managers (EMM) to support custom OEM APIs that cover use cases not supported through Android Enterprise. For more information on KSP, see the Knox Service Plugin Admin Guide.

  1. Log in to your Google account and navigate to Approve the Knox Service Plugin app.
  2. Log in to your Endpoint Management console and add the Knox service plug-in as a public app store app. For more information on adding public app store apps, see Add a public app store app. The KSP app
  3. In your Endpoint Management console, navigate to Configure > Device policies. Click Add.
  4. Click Android Enterprise Managed Configuration. In the dialog that comes up, select Knox Service Plugin from the menu. For more information on the Android Enterprise managed configuration policy, see Managed configurations policy.
  5. Type a name for the policy then continue to the platform page. Android Enterprise managed configuration Knox service plug-in policy
  6. On the platform page, type a Profile name for your Knox profile and input the KPE Premium License key from Samsung. The policies that appear below these fields come from your Knox deployment. For more information on Knox policies, see the Knox Service Admin Plugin Guide referenced earlier in this section. Policy pickers
  7. Click Next and configure deployment rules for the policy.
  8. Click Save.