Menu
These instructions describe how to install KSP with the following UEM. Always check your UEM's specific documentation for the most up to date instructions.

Set up with VMware Workspace ONE UEM

This section provides instructions on how to set up and configure fully managed devices with a work profile using the VMware Workspace ONE UEM.

For devices running Android 9.0+, you can now enroll devices using either the fully managed device with a work profile, or Company Owned, Managed Profile (COMP) deployment modes. Either mode lets IT admins strike a balance between giving the devices user some freedom to use the device for personal use, while maintaining the device-wide security and control that is necessary to keep enterprise data safe.

The fully managed devices with a work profile deployment mode allows IT admins to secure the sensitive data on a device, while giving a measure of unrestricted access to the device user's personal apps and data inside a container. Fully managed with a work profile devices contain two sets of policies: 

  • device-wide policies
  • policies specific to the personal container

While device-wide policies remain the same for fully managed with a work profile devices as for DO and PO devices, IT admins can enforce additional restrictions for the personal container on the device.

Pre-requisites

Before you can set up a basic policy, the following pre-requisites must be met:

  • Device is enrolled in the UEM in fully managed device with a work profile mode.
  • Two instances of KSP are installed on the device, in DO and PO respectively, as follows:
    • KSP is installed as a Private or Internal App in DO. For more information see Add KSP as a private app.
    • KSP App is installed in PO through Managed Google Playstore.
  • IMPORTANT—Ensure the KSP version installed in DO is the same as or higher than the KSP app installed in PO.
  • KPE Premium License is activated through the UEM or KSP in PO.

For more information on the things to consider when choosing the fully managed device with a work profile deployment mode in the VMware Workspace ONE UEM, see their help topic on Understanding Android Device Modes.

Setup process

The process to set up a fully managed device with a work profile in VMware Workspace ONE is as follows:

  1. Add KSP as a private app in DO
  2. Add KSP as a public app in PO, as described in Step 1: VMware Workspace ONE UEM - Add to UEM console.
  3. Enable DO controls and set up DO policies
  4. Enable PO controls and set up PO policies
  5. Deploy changes

For detailed information on configuring enrollment on VMware Workspace ONE UEM, see Configuring Corporate Owned Personally-Enabled Enrollment.

Add KSP as a private app in DO

To ensure KSP is deployed correctly with fully managed device with a work profile deployments:

NOTE—With fully managed device with a work profile deployments, the public app is installed in PO and the private app is installed in the DO side. The PO app receives the KSP configuration (DO and PO configurations). If the PO app sees the configuration has the Enable DO policies parameter set to True, then the PO KSP app passes the DO configuration to the private app. The private app will then process the configuration received from the PO KSP app.
  1. Log in to the VMware Workspace ONE UEM Admin console. Click Apps & Books. In the left hand navigation that opens, click Native.
  2. On the top navigation menu, click Internal.
  3. Click Add Application.
  4. Upload the latest version of the KSP app to the console. Contact your local Samsung representative for the latest version of the KSP app.
  5. Click Save and Assign. KSP is now added to your console.

Enable DO controls and set up DO policies

The next step is to enable DO and PO controls, and configure DO and PO level policies.

NOTE—Apply the following steps to enable a DO policy on the KSP instance installed as a public app.

To enable DO controls, do as follows:

  1. In the VMware Workspace ONE UEM console, click Apps & Books.
  2. In the left hand navigation that opens, click Native.
  3. On the top navigation menu, click Public.
  4. Find the Knox Service Plugin, click the icon.
  5. On the right side of the detailed view page, click ASSIGN.
  6. Select your KSP device and click EDIT.
  7. In the dialog that opens, under application configuration, click EDIT. The App configuration page opens.
  8. NOTE This button will say CONFIGURE if you have not yet set up a profile. It changes to EDIT after a profile is set up.
  9. In the Device-wide policies section, next to Enable Device Policy Controls, click True.
  10. You can now set up some device-wide policies and deploy them to your devices. For more information, see configure KSP policies and deploy KSP to devices.

Enable PO controls and set up PO policies

Optionally, IT admins can choose to set up policies for the personal container (PO) on the device.

To enable PO controls:

  1. In the VMware Workspace ONE UEM console, click Apps & Books.
  2. In the left hand navigation that opens, click Native.
  3. On the top navigation menu, click Public.
  4. Find the Knox Service Plugin, click the icon.
  5. On the right side of the detailed view page, click ASSIGN.
  6. Select your KSP device and click EDIT.
  7. In the dialog that opens, under application configuration, click EDIT. The App configuration page opens.
  8. NOTE This button will say CONFIGURE if you have not set up a profile. It changes to EDIT once the profile is set up.
  9. In the Work Profile policies section, next to Enable Work Profile Policy Controls, click True.
  10. You can now set up some PO policies and deploy them to your devices. For more information, see configure KSP policies and deploy KSP to devices.

Deploy changes

The process to add KSP policy changes to fully managed device with a work profile deployments is the same as the deployment process for DO and PO devices. For information on deploying KSP changes, see Step 3: VMware Workspace ONE UEM - Deploy.