Android - Samsung Knox

In this walkthrough, we're going show you how to enroll a Samsung Galaxy device into Workspace ONE UEM (formerly VMware AirWatch) to create the Knox Container and demonstrate key features within Knox. 


In order to complete the Samsung Knox walkthrough please verify you have the following:

  • TestDrive account in
  • Workspace ONE UEM service enabled
  • Recommended device: at least a Samsung Galaxy S6 
  • Recommended Android OS level: >= Android 5.1.1
  • AirWatch Agent: Google Play AirWatch Agent
  • ELM Service - provisioned by Workspace ONE UEM during enrollment
  • Administrator role: Device Administrator at Five Oceans Bank
    • If you don’t have this admin role, please send us an email.


Knox is Samsung's defense-grade security platform built into the latest Samsung mobile devices. Organizations utilizing Knox have data security as their top priority.  

The following walkthrough entails the Samsung Knox Premium feature set.  Descriptions, provided by Samsung, are  here. ``

Console - Knox Setup

Talking Points

  • To enable Knox, you need a Knox License Key from Samsung.  For more information on obtaining a your Knox key, please see the Samsung Knox web site. (This "scripted demos" OG already has the Knox key configured.)
  • Setting up Knox is as simple as copying and pasting your Knox License Key into the Android Agent's settings of your chosen Knox Organization Group in Workspace ONE UEM. 
  • The Knox key is stored in the Workspace ONE UEM console, but is not visible after it's saved. 
  • For corporate owned device use cases, Workspace ONE UEM supports the creation of Container Only Mode which locks the device into to the Knox container with no dual persona or personal side to the device.

Using your sandbox role, navigate to the Settings > System > Devices & Users > Android > Agent the Knox license key setup. 

Console - Knox Profiles

Talking Points

  • Profiles not only secure, but also enable functionality within the Knox container, such as the ability to move apps or files from the non-containerized side. 
  • Two profile modes are supported on Knox-enabled devices. When dual persona is set up (BYOD use cases), administrators can deploy profiles to both the personal side as well as the Knox container.  
  • The Knox Container requires a passcode profile configured in Workspace ONE UEM.  A multi-factor passcode profile, e.g., fingerprint + a complex passcode, are recommended for two-factor Knox container security.  Additionally, a device passcode profile can be added for multi-factor authentication into Knox. 

Using the Device Administrator at Five Oceans Bank role, navigate to Devices > Profiles & Resources > Profiles.  Filter the profile list by "knox" to clean up your view.  

Drill into the Finance - Knox - Tunnel profile to view its payload.  Review the other Knox profiles available.

Knox admins can create profiles for two modes on Knox-enabled devices. The first is for devices, and applies to the entire device. The second is for containers, and only applies to the corporate container created on the device.  


Talking Points

Knox enrollment has two methods:

  • In the typical BYO scenario, dual-persona is the mode.  Users will have enrolled with the VMware AirWatch agent into the Knox enabled "employee owned" OG.
  • Alternatively, for bulk device provisioning, Knox Mobile Enrollment is available and is enabled in the Samsung Knox portal where a list of devices can be uploaded.  Factory reset devices silently check into the portal then automatically enroll into Workspace ONE UEM where they are provisioned in Container only mode. 

Set up fingerprint authentication on your Galaxy.  The Knox container uses two-factor authentication in this walkthrough (fingerprint and choice of passcode).

Download the VMware AirWatch agent from Google Play and initiate enrollment using your TestDrive credentials.  

Enrollment Item        Description   Notes

TestDrive Account 




OG (pick one):  

Finance - BYOD Demo

Finance - Corporate Owned Demo 


dual persona

container only    


Continue through enrollment accepting all prompts.  Install and activate the Samsung ELM agent.  

Pick either the Finance BYOD or Corporate owned walkthrough. 

During enrollment, note the agent's Samsung Knox license validation.  This is the moment when the device-to-AW-to-Samsung server Knox key has been successfully verified for available licenses. 

(Pardon the image quality in the following screenshots.)

Accept Knox license terms.

After Knox license validation, you should be prompted for Knox security setup.  Follow the guided steps for two-factor authentication setup for the Knox Container.  These steps will use your pre-set device fingerprint.



After the device completes enrollment, accept creation of the Knox Container on the device. 

If you never get the Knox setup prompt or if the Knox Container fails to set up, and you've verified the device supports Knox, you will most likely need to factory reset your device. 

App Provisioning

App provisioning is silent to the user, requiring no interaction on the user's part.  

With Workspace ONE UEM Application Control, admins can set parameters around application deployments and take administrative actions when a user uninstalls certain applications.  

Per-App VPN

Talking Points

  • Your designated internal apps can push inside the Knox Container where they will utilize the VMware Tunnel for VPN connectivity to secure internal sites.
  • Organizations can have the peace of mind that all designated app traffic is secured from the Container over the Internet to the internal endpoint from the Knox Container.

You'll know when the device is ready for per-app VPN when you see the following "Allow connection" message. Click OK.  You may also enter the VMware Tunnel app to verify status. 

Firefox is managed as in internal app with per-app VPN configured.  To demonstrate per-app VPN with Firefox, follow these steps:

  1. In the Knox Container, launch the native browser app within Knox 
    (The native Knox browser could be either Chrome or Internet, depending on the Samsung device firmware.).  
  2. Go to Bookmarks and select the Internal Site bookmark.  The internal site will not be accessible.  Copy the URL.
  3. Launch Firefox in the Knox Container and paste the URL from the Container's clipboard. The site will be accessible.  You may also use the other links on the landing page.

    Internal site:


Talking Points

  • Restrictions in the Knox Container are used to harden security for data loss prevention (DLP).
  • Unintentional, non-malicious data leakage is the most common form of data loss.
  • When Knox enabled devices are configured for Common Criteria (CC), the bootloader will block KIES download mode, enforce to check integrity of kernel, and self-test crypto-modules. In addition, device will verify additional signature on FOTA update using RSA-PSS signature and enforce to use FIPS 140-2 validated crypto module for EAP-TLS Wi-Fi connection. 


Allow GMS Applications in Container is a single restriction that controls availability of Chrome, Google Maps, Google Play, Gmail, and Google Settings in the Knox Container.  This setting is enabled to support device firmware which utilizes Chrome as the native browser in the Knox container.

The following are setup in the restrictions profile:

  • In Device Functionality, the camera is allowed, but not screenshots. 
  • In Security, both Enable Application Move and Enable File Move restrictions are disabled, preventing app and file moves.  In the Knox Container, go to file manger and show the inability to exchange files with the personal side.  Then, go to Settings > Apps and note the inability to pull apps from the personal side. 
  • For Sync and Storage restrictions, Allow Google Accounts Auto SyncAllow Change Data Sync Policy, and Allow SD Card Move are disabled. 

Native Mail

Talking Points

  • Native Samsung mail configuration is supported by Workspace ONE UEM in the Samsung Knox Container.  Numerous mail profile settings are available for configuration by Workspace ONE UEM to mirror organizational mail handling policies.

Launch the native mail app, enter password, and accept security prompt to complete native mail configuration.  You should see staged email in your inbox. 

Enterprise Wipe

Talking Points

  • When Workspace ONE UEM issues an enterprise wipe command, all managed settings and data are removed from the device.  No personal data is touched (because it was never managed).  
  • The Knox Container and all of its data are deleted from the device with an enterprise wipe.

From the Workspace ONE UEM console, in device details > more actions, send an Enterprise Wipe command to the managed device.  The Knox Container and any other device profiles will be removed. 


For Additional Support

Review Our Knowledge Base

Submit a Ticket

Have more questions? Submit a request

Please sign in to leave a comment.