Menu

Cannot activate email client as a device admin app during account setup

Environment

  • Knox Platform for Enterprise (KPE)
  • Knox Manage (KM)
  • Knox Service Plugin (KSP)
  • Android Enterprise
  • Email

Overview

When a user is configuring an account on an email client, they are requested to activate the client as a Device Admin App. If the device is enrolled as an Android Enterprise device with an EMM, they may encounter the message "Security policy prevents enabling device administrators" when the activation is attempted.

Cause

The ability to activate Device Admin Apps is disabled by default. In order to grant this permission, the email client package name must be entered into an allowlist in Knox Service Plugin prior to setting up the email account.

Resolution

To configure the Device Admin allowlisting policy in KSP go to:

  1. Device-wide policies > Device Admin allowlisting.
  2. Set Enable device admin controls to Enable.
  3. Enter the email client package name in Allowlisted DAs.
  4. Save and publish the KSP policy.
Share it: