Skip Navigation

Data flow: Activating a device to use
Knox Workspace

Diagram showing the steps and the BlackBerry UEM components used when activating a Samsung Knox Workspace device in a dark site environment.
  1. You perform the following actions:
    1. Add a user to
      BlackBerry UEM
      as a local user account or using the account information retrieved from your company directory.
    2. Make sure the "
      Work and personal - full control
      (
      Samsung Knox
      )" or "
      Work space only
      - (
      Samsung Knox
      )" activation type is assigned to the user.
    3. Instruct the user to download and install the
      BlackBerry UEM Client
      .
    4. Use one of the following options to provide the user with activation details:
      • Automatically generate a device activation password and send an email with activation instructions for the user
      • Set a device activation password and communicate the username and password to the user directly or by email
      • Communicate the
        BlackBerry UEM Self-Service
        address to the user so that they can set their own activation password
  2. The user performs the following actions:
    • Connects to your work
      Wi-Fi
      network
    • Downloads and installs the
      UEM Client
      on the device
    • Opens the
      UEM Client
      and enters the email address and activation password
  3. The
    UEM Client
    establishes a connection with
    BlackBerry UEM
    and sends an activation request to
    BlackBerry UEM
    . The activation request includes the username, password, device operating system, and unique device identifier.
  4. BlackBerry UEM
    performs following actions:
    1. Inspects the credentials for validity
    2. Creates a device instance
    3. Associates the device instance with the specified user account in the
      BlackBerry UEM
      database
    4. Adds the enrollment session ID to an HTTP session
    5. Sends a successful authentication message to the device
  5. The
    UEM Client
    creates a CSR using the information received from
    BlackBerry UEM
    and sends a client certificate request to
    BlackBerry UEM
    over HTTPS.
  6. BlackBerry UEM
    performs the following actions:
    1. Validates the client certificate request against the enrollment session ID in the HTTP session
    2. Signs the client certificate request with the root certificate
    3. Sends the signed client certificate and root certificate back to the
      UEM Client
    A mutually authenticated TLS session is established between the
    UEM Client
    and
    BlackBerry UEM
    .
  7. The
    UEM Client
    requests all configuration information and sends the device and software information to
    BlackBerry UEM
    .
  8. BlackBerry UEM
    stores the device information in the database and sends the requested configuration information to the device.
  9. The
    UEM Client
    determines if the device uses
    Knox Workspace
    and is running a supported version. If the device uses
    Knox Workspace
    , the device connects to the local
    Samsung
    on-premises licensing server and activates the
    Knox
    management license. After it's activated, the
    UEM Client
    applies the
    Knox
    MDM and
    Knox Workspace
    IT policy rules.
  10. The device sends an acknowledgment to
    BlackBerry UEM
    that it received and applied the configuration information. The activation process is complete.
After the activation is complete, the user is prompted to create a work space password for the
Knox Workspace
. Data in the
Knox Workspace
is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint.
If the device is activated with the "
Work space only
- (
Samsung Knox
)" activation type, the personal space is removed when the
Knox Workspace
is set up.