Data flow: Activating a device to use Knox Workspace
Knox Workspace
- You perform the following actions:
- Add a user toBlackBerry UEMas a local user account or using the account information retrieved from your company directory.
- Make sure the "Work and personal - full control(Samsung Knox)" or "Work space only- (Samsung Knox)" activation type is assigned to the user.
- Instruct the user to download and install theBlackBerry UEM Client.
- Use one of the following options to provide the user with activation details:
- Automatically generate a device activation password and send an email with activation instructions for the user
- Set a device activation password and communicate the username and password to the user directly or by email
- Communicate theBlackBerry UEM Self-Serviceaddress to the user so that they can set their own activation password
- The user performs the following actions:
- Connects to your workWi-Finetwork
- Downloads and installs theUEM Clienton the device
- Opens theUEM Clientand enters the email address and activation password
- TheUEM Clientestablishes a connection withBlackBerry UEMand sends an activation request toBlackBerry UEM. The activation request includes the username, password, device operating system, and unique device identifier.
- BlackBerry UEMperforms following actions:
- Inspects the credentials for validity
- Creates a device instance
- Associates the device instance with the specified user account in theBlackBerry UEMdatabase
- Adds the enrollment session ID to an HTTP session
- Sends a successful authentication message to the device
- TheUEM Clientcreates a CSR using the information received fromBlackBerry UEMand sends a client certificate request toBlackBerry UEMover HTTPS.
- BlackBerry UEMperforms the following actions:
- Validates the client certificate request against the enrollment session ID in the HTTP session
- Signs the client certificate request with the root certificate
- Sends the signed client certificate and root certificate back to theUEM Client
A mutually authenticated TLS session is established between theUEM ClientandBlackBerry UEM. - TheUEM Clientrequests all configuration information and sends the device and software information toBlackBerry UEM.
- BlackBerry UEMstores the device information in the database and sends the requested configuration information to the device.
- TheUEM Clientdetermines if the device usesKnox Workspaceand is running a supported version. If the device usesKnox Workspace, the device connects to the localSamsungon-premises licensing server and activates theKnoxmanagement license. After it's activated, theUEM Clientapplies theKnoxMDM andKnox WorkspaceIT policy rules.
- The device sends an acknowledgment toBlackBerry UEMthat it received and applied the configuration information. The activation process is complete.
After the activation is complete, the user is prompted to create a work space password for the
Knox Workspace
. Data in the Knox Workspace
is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint.If the device is activated with the "
Work space only
- (Samsung Knox
)" activation type, the personal space is removed when the Knox Workspace
is set up.