Android - Knox Walkthrough (Samsung Internal)

Updated on

In this demo walkthrough, we're going to show you how to enroll a Samsung Galaxy device into Workspace ONE UEM (formerly VMware AirWatch) to create the Knox Container and demo key features within Knox. 


In order to complete the Samsung Knox demo please verify you have the following:

  • TestDrive account in portal.vmtestdrive.com
  • Workspace ONE UEM service enabled. 
  • Recommended device: at least a Samsung Galaxy S7 
  • AirWatch Agent: Google Play AirWatch Agent
  • ELM Service: at least version 3.2  (provisioned by Workspace ONE UEM during enrollment)
  • Administrator role: Device Administrator at Five Oceans Bank
    • If you don’t have this admin role, please send us an email.
Console - Knox Setup
  • Setting up Knox is as simple as copying and pasting your Knox License Key into the Android Agent's settings of your chosen Knox Organization Group in Workspace ONE UEM. 
  • The Knox key is stored in the Workspace ONE UEM console, but is not visible after it's saved. 
  • For corporate owned device use cases, Workspace ONE UEM supports the creation of Container Only Mode which locks the device into to the Knox container with no dual persona or personal side to the device.

Using your sandbox role, navigate to the Settings / System / Devices & Users / Android / Agent Settings, then show the key setup. 

Console - Knox Profiles

Using the Device Administrator at Five Oceans Bank role, navigate to Profiles in the console.  Filter the profile list by "knox" to clean up your view.  

Drill into the Finance - Knox - Tunnel profile to view its payload.  Review the other Knox profiles available.

Knox admins can create profiles for two modes on Knox-enabled devices. The first is for devices, and applies to the entire device. The second is for containers, and only applies to the corporate container created on the device.  


Set up fingerprint authentication on your Galaxy.  The Knox container uses two-factor authentication in this demo (fingerprint and choice of passcode).

Download the VMware AirWatch agent from Google Play and initiate enrollment using your TestDrive credentials.  

Enrollment Item   Description   Note
Account   TestDrive Account     
Enrollment Email   <username>@samsung.vmtestdrive.com    
OG   Finance - BYOD Demo 
Finance - Corporate Owned Demo 
  dual persona                        
container only       

Continue through enrollment accepting all prompts.  Install and activate the Samsung ELM agent.

Pick either the Finance BYOD or Corporate owned demo. 

During enrollment, note the agent's Samsung Knox license validation.  This is the moment when the device-to-AW-to-Samsung server Knox key has been successfully verified for available licenses. 

(Pardon the image quality in the following screenshots.)

Accept Knox license terms.

After Knox license validation, you should be prompted for Knox security setup.  Follow the guided steps for two-factor authentication setup for the Knox Container.  These steps will use your pre-set device fingerprint.


After the device completes enrollment, accept creation of the Knox Container on the device. 

If you never get the Knox setup prompt or if the Knox Container fails to set up, and you've verified the device supports Knox, you will most likely need to factory reset your device.   

App Provisioning

App provisioning is silent to the user, requiring no interaction on the user's part.  

With Workspace ONE UEM Application Control, admins can set parameters around application deployments and take administrative actions when a user uninstalls certain applications. 

Per-App VPN

Talking Points

  • Your designated internal apps can push inside the Knox Container where they will utilize the VMware Tunnel for VPN connectivity to secure internal sites.
  • Organizations can have the peace of mind that all designated app traffic is secured from the Container over the Internet to the internal endpoint from the Knox Container.

You'll know when the device is ready for per-app VPN when you see the following "Allow connection" message. Click OK.  You may also enter the VMware Tunnel app to verify status. 

Firefox is managed as in internal app with per-app VPN configured.  To demonstrate per-app VPN with Firefox, follow these steps:

  1. In the Knox Container, launch the native browser app within Knox 
    (The native Knox browser could be either Chrome or Internet, depending on the Samsung device firmware.) 
  2. Go to Bookmarks and select the Internal Site bookmark.  The internal site will not be accessible.  Copy the URL.

  3. Launch Firefox in the Knox Container and paste the URL from the Container's clipboard. The site will be accessible.  You may also use the other links on the landing page.

    Internal site: demo-awmag-1.vmwdemo.int



  • Allow GMS Applications in Container is a single restriction that controls availability of Chrome, Google Maps, Google Play, Gmail, and Google Settings in the Knox Container.  This setting is enabled for demo support of devices where Chrome is the Knox container's native browser.

The following are setup in the restrictions profile:

  • In Device Functionality, the camera is allowed, but not screenshots. 
  • In Security, both Enable Application Move and Enable File Move restrictions are disabled, preventing app and file moves.  In the Knox Container, go to file manger and show the inability to exchange files with the personal side.  Then, go to Settings > Apps and note the inability to pull apps from the personal side. 
  • For Sync and Storage restrictions, Allow Google Accounts Auto SyncAllow Change Data Sync Policy, and Allow SD Card Move are disabled. 
Native Mail
  • Native Samsung mail configuration is supported by Workspace ONE UEM in the Samsung Knox Container.  Numerous mail profile settings are available for configuration by Workspace ONE UEM to mirror organizational mail handling policies.

Launch the native mail app, enter password, and accept security prompt to complete native mail config.

Enterprise Wipe
  • When Workspace ONE UEM issues an enterprise wipe command, all managed settings and data are removed from the device.  No personal data is touched (because it was never managed).  
  • The Knox Container and all of its data are deleted from the device with an enterprise wipe.

From the Workspace ONE UEM console, in device details > more actions, send an Enterprise Wipe command to the managed device.  The Knox Container and any other device profiles will be removed. 

Next Article iOS - Financial Services Customer Kiosk