Samsung Enterprise License Management (ELM) Integration

Samsung Enterprise License Management (ELM) Integration

With the introduction of the new Enterprise License Management (ELM) APIs, the Samsung Service application will no longer be platform-signed. Samsung Enterprise License Management (ELM) is a server-based access control mechanism for MDM administrators to access the Samsung KNOX Standard (SAFE) APIs. These APIs support devices running SAFE 4.0+ only.

The current service on the Play Store, Service 2.2, will continue to remain on the Store for devices running SAFE 3.0 and below. New enrollments for Samsung devices can begin using a new non-platform key signed Samsung ELM Service 3.0 application, or continue to use the Play Store Service (Service 2.2). This new application will support new APIs for SAFE 5.0 and SAFE 5.1, as well as KNOX 2.0 and KNOX 2.1.

Samsung Enterprise License Management (ELM) Integration

The new features available on the Samsung ELM Service 3.0 require Agent 5.3 in order to work on devices.

The following features are available on Samsung ELM Service 3.0.0 and Agent 5.3:

KNOX Premium

  • Application Management
      • Adding Google Mobile Services (GMS) Apps inside the KNOX container
      • Application Control: Implemented Required Applications inside the KNOX container
  • SSL VPN Support inside the KNOX container
      • Pulse Secure
  • Smart Card Browser Authentication with CAC Card
  • New Authentication For Passcode Requirement
      • Fingerprint authentication
      • Multi-factor authentication
  • Minimum passcode requirement updated
  • Web-page Bookmarks Inside KNOX Container
  • Date and Time Configuration Inside KNOX Container
  • Certificate Management via the TIMA KeyStore
  • Firewall Support Inside KNOX Container
      • Rules for Allow, Deny and Reroute
  • Additional Restrictions Inside the Container
      • Whitelist/blacklist email account
      • CCMode [STIG Requirement]
      • Enable application moves
      • Enable file moves
      • Notification sanitize (notification restrictions)
      • Allow Google Accounts restriction
      • Certificate OSCP check [STIG Requirement]
      • ODE boot verification [STIG Requirement]
      • Allow Reset Container on Reboot
      • Enforce Container Keyguard
      • Allow Change Data Sync Policy
  • Audit Logging For Troubleshooting Errors
  • Container Management from the console
      • Clear KNOX container passcode
      • Change KNOX container passcode
      • KNOX container creation status
  • Support of Container Only Mode (COM)


KNOX Standard

  • Support of Enterprise License Management (ELM)
  • Permanent Lockscreen Overlay for displaying company information
  • Additional Device Restrictions
      • Allow Activation Lock
      • Allow Airplane Mode
      • Allow Fast Encryption
      • Allow Developer Mode
      • Allow Firmware Recovery
      • Allow Google Accounts Auto Sync
      • Allow SD Card Move
      • Allow Headphones
      • Allow Lock Screen Settings
      • Allow NFC State Change
  • Telephony Restrictions on Device
      • Ability to whitelist allowed phone numbers for calls
      • Ability to whitelist and blacklist phone numbers for SMS
  • Set Preferred APN on Device
  • Fingerprint Authentication on Device
  • HTTPS Global Proxy Support
  • Bluetooth Restrictions
      • Bluetooth device blacklist
      • Bluetooth device whitelist
      • Bluetooth Secure Mode + Whitelist

How to Obtain the Samsung ELM Service

The Samsung ELM Service has been seeded into the console on Console 8.2 and Console 8.1 FP04 and above. The ELM Service will also be available on the Resource Portal.  The new features supported with the ELM Service 3.0 are all available from Console 8.1 FP04 onwards, so using the service will require custom XML for utilizing the new features.

Devices previously enrolled with the Service 2.2 can transition to the new service if it is pushed as an internal application. The agent will have to be upgraded to Agent 5.3 BEFORE transitioning the service. If the new service is pushed before the agent has been upgraded, the device will have to reboot the device after the agent has been upgraded. Once the service application has been transitioned, the Service 2.2 will be removed as device administrator and uninstalled from the device.

Note: The message upon transitioning will state that the uninstallation was not successful, even though the application has been removed. This is a known issue, and is currently being worked upon for a resolution.

Samsung ELM and Launcher

Launcher 2.0.1, currently seeded as a service application in the console, will NOT work with the ELM Service. If you are currently using this version of the Launcher, you will have to wait for the new version of the Launcher to be available before upgrading to the ELM Service 3.0.

The upgrade to Agent 5.3 will not allow for the transition of ELM service if the Launcher is installed. If you require the ELM Service to work with Launcher, you will need to wait for the release of Launcher 2.1 and re-enroll with Agent 5.3+.

Implications for end users:

  • End users using Service 2.2 will be able to utilize all features that are SAFE 4.0/KNOX 1.0.
  • End users using ELM Service 3.0 will be able to utilize all features that are SAFE 5.1/KNOX 2.1.
  • Devices with SAFE 3.0 and below need to continue using the Service 2.2.
  • Downloading the ELM Service 3.0 and installing it on a previously enrolled device (using Service 2.2) will remove the existing KNOX container.
  • Users can continue to use Service 2.2 and remain enrolled. They should transition to the ELM Service only if their devices are running SAFE4.0+ and require the new features listed above.

Support Contact Information

If you have additional questions or concerns, please contact Account Services & Support or submit a support ticket through My Workspace ONE. 

Have more questions? Submit a request


Article is closed for comments.