Samsung ELM Service + Agent Merge

This document will contain all of the details around the merging of ELM Service and Agent into a single application, including the below:

  • Enrollment flows with 8.2
  • Upgrade flows from 8.1 to 8.2, and ELM activation prompts 
  • Instructions for pushing Samsung profile settings to DO
  • Knox Container Only Mode unenrollment and access to Agent
  • Knox Play for Work updates
  • Minor details and flow differences

Summary

Starting with Agent 8.2, the ELM Service will be bundled into the Agent for new enrollments.  This means that in order to gain access to Samsung advanced capabilities, the user will not need to install an additional app.  However, for existing enrollments, the ELM Service will still be updated to gain access to new features.  More information is below.

New Enrollment flows

Below are typical enrollment flows for various enrollment methods on Samsung devices:

Android Legacy BYOD enrollment (Device Administrator)

  1. User downloads Agent from Play Store
  2. User opens Agent and begins enrollment
  3. User Accepts Agent prompts. 
  4. User Accepts Samsung license activation
  5. User completes enrollment

Knox Mobile Enrollment (Device Administrator or Device Owner)

  1. Device is registered in KME portal
  2. Admin creates MDM Profile
  3. Admin ONLY adds Agent as the MDM app.  ELM Service is NOT added.
  4. Device powers on from factory state, and is automatically taken into KME after connecting to Wifi  

Android enterprise enrollment - Work Managed Device

  1. User powers on device from factory state
  2. User performs one of the following enrollment methods: NFC Bump, QR Code, afw#
  3. Agent is downloaded and user is guided through enrollment 
  4. User Accepts Samsung license activation
  5. User completes enrollment

Android enterprise enrollment - Work Profile

No change for this enrollment method from previous versions.

Migration Flows

Below are flows for migration when an enrolled Samsung device updates to 8.2 from a previous version:

User is enrolled via Android Legacy with Agent and ELM Service

  1. User updates to Agent 8.2
  2. User updates ELM Service

User is enrolled via Android enterprise Work Managed device (ELM Service is not installed)

  1. User updates to Agent 8.2
  2. Agent presents a notification to user requesting to activate Samsung ELM License
  3. User accepts and activates license
  4. Admin is now able to push Samsung policies to the device

User is enrolled via Android legacy, but ELM Service is not installed

  1. User updates to Agent 8.2
  2. Agent presents a notification to user requesting to activate Samsung ELM License
  3. User accepts and activates license
  4. Admin is now able to push Samsung policies to the device

User is enrolled via Android enterprise Work Profile

  1. User updates to Agent 8.2
  2. User is NOT prompted for license activation
  3. Samsung policies cannot be deployed

User is enrolled via Android legacy with Agent and ELM Service, but wishes to migrate to single-app solution

  1. User must unenroll device
  2. User uninstalls ELM Service
  3. User re-enrolls device with 8.2 Agent

Samsung Knox Container Only Mode

The following only affects new enrollments into Knox Container Only Mode with Agent 8.2. 

With 8.2, when enrolled into Knox Container Only Mode, the Agent is now accessible from inside the container.  In Knox settings, there is an option available to access the MDM Agent, which will launch the AirWatch Agent.  This gives the user the ability to view current status, send/sync data, send debug logs, and perform other troubleshooting tasks.  The "Block User Unenrollment" setting in the Console > Android Agent Settings, will either show or hide the Unenroll option in the Agent menu.  This option is useful in cases where the Enterprise Wipe command either does not reach the device, or encounters an error, in which the device may get trapped in COM.

Samsung Knox Play for Work

With 8.2, the unified Agent has provided the ability to automatically install Public Apps into the Knox Container, in a Dual Persona scenario.  Users must enroll their device from scratch with 8.2 with the proper console configuration to achieve this functionality.  Information on configuring Knox Play for Work is available on myAirWatch.

Configuring Samsung Knox Standard Settings in Android Enterprise

With Agent 8.2, all Knox Standard (free) settings are supported within Android enterprise.  Knox Premium features are not yet supported.  Please follow the steps below to configure these settings on Samsung devices:

  1. Configure an Android legacy (device) profile
  2. Configure the profile payloads as needed
  3. Do not publish this profile - simply Save it without adding an assignment
  4. Select the Profile from the list view, and choose View XML
  5. Copy this XML (start and end with the <characteristic> tag, exclude <wap-provisioningdoc>)
  6. Create an Android enterprise profile
  7. Add a Custom Settings payload
  8. Paste the copied XML into the text field
  9. Change the Characteristic value for each payload type.  A mapping of characteristic types is found in the table below

Payload Name

Legacy Characteristic Type

Android Enterprise Samsung Characteristic Type

Restrictions

com.airwatch.android.restrictions

com.airwatch.android.androidwork.samsung.restrictions

Passcode

com.android.passwordpolicy

com.airwatch.android.androidwork.samsung.password

Firewall

com.airwatch.android.firewall

com.airwatch.android.androidwork.samsung.firewall

Date/Time

com.airwatch.android.datetime

com.airwatch.android.androidwork.samsung.datetime

APN (Advanced)

com.airwatch.android.apn

com.airwatch.android.androidwork.samsung.apn


Examples of converting legacy payloads to Android enterprise Samsung payloads:

Example

Old XML

New XML

Date/Time

<characteristic type="com.airwatch.android.datetime" uuid="1e00af29-d170-4b70-adc2-57abee38cc91">
<parm name="DateFormat" value="MM/DD/YYYY" />
<parm name="AutomaticTime" value="False" />
<parm name="DateTime" value="HTTP" />
<parm name="TimeFormat" value="12" />
<parm name="TimeZone" value="America/Los_Angeles" />
<parm name="URL" value="http://google.com" />
<parm name="EnablePeriodicSync" value="False" />
<parm name="SetTimeZone" value="True" />
<parm name="ServerTime" value="1521226666113" />
</characteristic>

<characteristic type="com.airwatch.android.androidwork.samsung.datetime" uuid="1e00af29-d170-4b70-adc2-57abee38cc91">
<parm name="DateFormat" value="MM/DD/YYYY" />
<parm name="AutomaticTime" value="False" />
<parm name="DateTime" value="HTTP" />
<parm name="TimeFormat" value="12" />
<parm name="TimeZone" value="America/Los_Angeles" />
<parm name="URL" value="http://google.com" />
<parm name="EnablePeriodicSync" value="False" />
<parm name="SetTimeZone" value="True" />
<parm name="ServerTime" value="1521226666113" />
</characteristic>

Restrictions

<characteristic type="com.airwatch.android.restrictions" uuid="438a1acd-99a6-492a-aba0-41123c485886">
<parm name="allowMicrophone" value="True" />
<parm name="allowAirplaneMode" value="True" />
<parm name="AllowSBeam" value="True" />
<parm name="AllowSVoice" value="True" />
</characteristic>

<characteristic type="com.airwatch.android.androidwork.samsung.restrictions" uuid="438a1acd-99a6-492a-aba0-41123c485886">
<parm name="allowMicrophone" value="True" />
<parm name="allowAirplaneMode" value="True" />
<parm name="AllowSBeam" value="True" />
<parm name="AllowSVoice" value="True" />
</characteristic>

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.