Samsung

Samsung offers several solutions that are compatible with Citrix Endpoint Management.

  • Endpoint Management supports and extends both Samsung for Enterprise (SAFE) and Knox policies on compatible Samsung devices.
  • Knox includes the SE for Android Management Service (SEAMS). SEAMS provides API-level control of the Samsung security policy engine.
  • The Knox Service plug-in (KSP) in an app that supports a subset of Knox Platform for Enterprise features.

To control how and when Android devices connect to the Endpoint Management service, use Firebase Cloud Messaging (FCM). For information, see Firebase Cloud Messaging.

Endpoint Management enrolls Android devices into MDM+MAM or MDM mode, with the option for users to register in MAM-only mode. Endpoint Management supports the following authentication types for Android devices in MDM+MAM mode. For information, see the articles under Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix Identity provider

Another rarely used authentication method is client certificate plus security token. For information, see https://support.citrix.com/article/CTX215200.

A general workflow for starting Android device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Deploy Samsung license keys.

  4. Enable Knox attestation.

  5. Configure Samsung device policies.

  6. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for Android devices:

Method Supported
Bulk enrollment Yes (Knox)
Manual enrollment Yes
Enrollment invitations Yes

You can use Knox Mobile Enrollment to enroll multiple Knox devices into Endpoint Management (or any mobile device manager) without manually configuring each device. For information, see Knox Bulk Enrollment.

For information about enrolling devices, see Enroll Android devices.

Deploy Samsung license keys

Samsung has Enterprise License Management (ELM) keys and Knox License Management (KLM) keys. You purchase Samsung licenses from Samsung.

  • Knox: The Knox platform requires that you purchase a Knox Workspace license. To enable the Knox APIs and deploy Knox policies and restrictions to devices, first configure the Endpoint Management device policy, Samsung MDM license key. To activate Knox, you must push at least one Restriction device policy specifically for Knox along with the ELM and KLMS key.

    For HTC-specific policies, Endpoint Management supports HTC API version 0.5.0. For Sony-specific policies, Endpoint Management supports Sony Enterprise SDK 2.0.

  • SAFE: Deploy the built-in Samsung ELM key to a device before deploying SAFE policies and restrictions. To deploy that key, configure the Endpoint Management device policy, Samsung MDM license key.

Samsung enterprise Firmware-Over-The-Air (E-FOTA) service

Endpoint Management also supports the Samsung Enterprise Firmware-Over-The-Air (E-FOTA) service. Samsung E-FOTA lets you determine when devices get updated, determine the firmware version to use, and test updates before deploying them. For information, see Configure Samsung E-FOTA settings.

Enable Knox attestation

You can configure Endpoint Management to query the Knox attestation server REST APIs.

Knox applies hardware security capabilities that provide multiple levels of protection for the operating system and applications. One level of this security resides at the platform through attestation. An attestation server provides verification of the mobile device core system software (for example, the boot loaders and kernel). The verification occurs at runtime based on data collected during a trusted boot.

  1. In the Endpoint Management web console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Click Samsung Knox.

    The Knox page

  3. Set Enable Samsung Knox attestation to Yes to enable Knox attestation. The default is No.

  4. In the Web service URL list, do one of the following:

    • Click the appropriate attestation server.

    • Click Add new and then enter the Web service URL.

  5. Click Test Connection to verify the connection. A success or failure message appears.

  6. Click Save.

Configure Samsung device policies

Device policies for Knox:

     
App Restrictions App Uninstall Browser
Copy Apps to Samsung Container Exchange Knox Platform for Enterprise key
Passcode Restrictions Samsung MDM License key
VPN    

Device policies for Samsung SAFE:

     
App Uninstall Restrictions Browser Exchange
Firewall Kiosk Knox Platform for Enterprise
OS update Restrictions Samsung MDM License key
Storage Encryption VPN  

Device policies for Samsung SEAMS:

     
Copy Apps to Samsung Container    

Security actions

Android supports the following security actions. For a description of each security action, see Security actions.

     
App Lock App Wipe Certificate Renewal
Full Wipe Locate Lock
Lock and Reset Password Notify Revoke
Selective Wipe    

Note:

For devices running Android 6.0 and greater, the Locate security action requires the user to grant Location permission during enrollment. The user can opt not to grant Location permissions. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permissions when sending the Locate command.

Add the Knox service plug-in app

If you plan on using Android Enterprise with Knox, add the Knox service plug-in to Endpoint Management. The KSP app uses AndroidOEMConfig to support features such as security policies, flexible VPN configuration, and biometric authentication controls. AndroidOEMConfig enables OEMs and endpoint mobility managers (EMM) to support custom OEM APIs that cover use cases not supported through Android Enterprise. For more information on KSP, see Samsung Documentation.

  1. Log in to your Google account and navigate to https://play.google.com/work/apps/details?id=com.samsung.android.knox.kpu. Approve the app.
  2. Log in to your Endpoint Management console and add the Knox service plug-in as a public app store app. For more information on adding public app store apps, see Add a public app store app. The KSP app
  3. In your Endpoint Management console, navigate to Configure > Device policies. Click Add.
  4. Click Android Enterprise Managed Configuration. In the dialog that comes up, select Knox Service Plugin from the menu. For more information on the Android Enterprise managed configuration policy, see Android Enterprise managed configurations policy.
  5. Type a name for the policy then continue to the platform page. Android Enterprise managed configuration Knox service plug-in policy
  6. On the platform page, type a Profile name for your Knox profile and input the KPE Premium License key from Samsung. The policies that appear below these fields come from your Knox deployment. For more information on Knox policies, see https://docs.samsungknox.com/knox-platform-for-enterprise/admin-guide/about-knox-workspace.htm. Policy pickers
  7. Click Next and configure deployment rules for the policy.
  8. Click Save.