Data flow: Activating a device to use Knox Workspace
Knox Workspace
- You perform the following actions:
- Add a user toBlackBerry UEMas a local user account or using the account information retrieved from your company directory
- Make sure the "Work and personal - full control(Samsung Knox)", "Work and personal - user privacy(Samsung Knox)", or "Work space only- (Samsung Knox)" activation type is assigned to the user
- Use one of the following options to provide the user with activation details:
- Automatically generate a device activation password and, optionally, aQR Codeand send an email with activation instructions for the user
- Set a device activation password and communicate the username and password to the user directly or by email
- Don't set a device activation password and communicate theBlackBerry UEM Self-Serviceaddress to the user so that they can set their own activation password and view aQR Code.
- The user downloads and installs theBlackBerry UEM Clienton the device. After it is installed, the user opens theBlackBerry UEM Clientand enters the email address and activation password or scans theQR Code.
- TheBlackBerry UEM Clientperforms the following actions:
- Establishes a connection to theBlackBerry Infrastructure
- Sends a request for activation information to theBlackBerry Infrastructure
- TheBlackBerry Infrastructureperforms the following actions:
- Verifies that the user is a valid, registered user
- Retrieves theBlackBerry UEMaddress for the user
- Sends the address to theBlackBerry UEM Client
- TheBlackBerry UEM Clientestablishes a connection withBlackBerry UEMusing an HTTP CONNECT call over port 443 and sends an activation request toBlackBerry UEM. The activation request includes the username, password, device operating system, and unique device identifier.
- BlackBerry UEMperforms following actions:
- Inspects the credentials for validity
- Creates a device instance
- Associates the device instance with the specified user account in theBlackBerry UEMdatabase
- Adds the enrollment session ID to an HTTP session
- Sends a successful authentication message to the device
- TheBlackBerry UEM Clientcreates a CSR using the information received fromBlackBerry UEMand sends a client certificate request toBlackBerry UEMover HTTPS.
- BlackBerry UEMperforms the following actions:
- Validates the client certificate request against the enrollment session ID in the HTTP session
- Signs the client certificate request with the root certificate
- Sends the signed client certificate and root certificate back to theBlackBerry UEM Client
A mutually authenticated TLS session is established between theBlackBerry UEM ClientandBlackBerry UEM. - TheBlackBerry UEM Clientrequests all configuration information and sends the device and software information toBlackBerry UEM.
- BlackBerry UEMstores the device information in the database and sends the requested configuration information to the device.
- TheBlackBerry UEM Clientdetermines if the device usesKnox Workspaceand is running a supported version. If the device usesKnox Workspace, the device connects to theSamsunginfrastructure and activates theKnoxmanagement license. After it is activated, theBlackBerry UEM Clientapplies theKnoxMDM andKnox WorkspaceIT policy rules.
- The device sends an acknowledgment toBlackBerry UEMthat it received and applied the configuration information. The activation process is complete.
After the activation is complete, the user is prompted to create a work space password for the
Knox Workspace
. Data in the Knox Workspace
is protected using encryption and a method of authentication such as a password, PIN, pattern, or fingerprint.If the device is activated with the "
Work space only
- (Samsung Knox
)" activation type, the personal space is removed when the Knox Workspace
is set up.