Menu

Device running Android 9 not receiving Knox Manage device command after reboot

Environment 

  • Knox Manage (KM)
  • Android 9 and higher

Overview

This article provides issue details on why some Android 9 and higher devices managed by KM are not receiving device commands after they are rebooted, and guides you through the steps on how to configure the Strong Protection and direct boot command polling interval settings. 

 

Cause

Samsung devices running Android 9 and higher have the "Strong Protection" feature, which encrypts your device's data. While this feature is available from Android 7, its security has been enhanced in Android 9. You can find the Strong Protection feature on your device by following the steps below:

  1. On your device, go to Settings > Biometrics and security > Other security settings.
  2. Select Strong protection.

By default, Strong Protection is enabled. If you restart your device without unlocking it, only a few services are granted permission to run (e.g. alarm clock, SMS, calls). Any other services, including UEM agents, cannot run until the device is unlocked. As a result, the KM agent is unable to receive commands from the server until you unlock the device after reboot.

 

Resolution

Included in the KM v20.2 client update, Direct Boot Support allows many KM device commands and policies to be applied to your device even if it is in a locked state (i.e. not unlocked since it was last powered on). The following KM device commands can run in Direct Boot mode: 

  • Unenroll (AE Only)
  • Update Profile
  • Event (Trigger)
  • Report
  • Factory initialization & SD Card initialization
  • Factory initialization
  • Initialize Knox Password
  • Delete Knox
  • GetDeviceCommand (internal)
NOTE—We recommend that you update your KM client to v20.2 to take advantage of the new Direct Boot Support functionality.

KM now periodically checks if your device is in a locked state after reboot. You can change this polling interval by following these steps: 

  1. From your KM console, navigate to Settings > Basic Configuration > Device > Direct boot command polling interval for Android (min). 
  2. Configure the time interval as desired.

Workaround

While you can disable Strong Protection through Settings > Biometrics and security > Other security settings > Strong protection to ensure that the KM agent receives the device commands, we do not recommend this method as your device's data will be unencrypted.

To avoid potential security vulnerabilities, please update your KM client to v20.2 instead.

 

Additional information