Possible issues with SAMSUNG SAFE and Xenmobile Endpoint 10.11 and Android Enterprise

[James Selix]

Hello everyone

 

Has anyone noticed issues trying to enable SAMSUNG SAFE apis with the latest Endpoint 10.11 update and Android Enterprise? I have a Samsung S9 and have configured our Xenmobile delivery groups to pushout 7 policies.   I previously had setup deployment requirements for the policies but have since removed them (ie device property samsung safe api = true).  After enrolling into Xenmobile and enabling of the Android Work profile (we do a byod, managed google play approach to android enterprise), i notice in my XMS console that only 6 of the 7 policies are showing.  the samsung safe ELM key policy never shows up in assigned policies or in the delivery groups and log area.

 

am i missing something?  i verified that our DB didn't have the bad ELM key either per a KB from 2017.  Prior to 10.11 and enabling of Android Enterprise, SAMSUNG SAFE policy was apply and still is applied to said android devices.

 

TIA! i'll post any fixes/finds i run across. i also have a ticket into Citrix support on this since i also have another ticket opened in regards to Managed App configurations for Gmail not pushing upon enrollment and requiring users to do a device policy refresh after enrolling before said policy applies.

[James Selix]

Ok. so yea, i figured this all out now.  but i'm gonna prob put the info on my blog and put a link on here since there are NO GUIDES to do what i've been trying to do for the last month now.  my end goal was to be able to go BYOD with Android Enterprise (ie Personal and Work profiles on phones, requires users be on android 6.0 and up) and create a very similar setup as our iPhones where all they do is really enter in passwords once and an email address/user name.

 

Samsung SAFE and KNOX aren't needed for this at all.  If all you want to do is create a pre-configured email profile for Samsung Email, all you need to do is add the Samsung Email app to your Google Play Managed Store.  Then create a public store app to managed play app and assign to delivery group for said devices.  After that, you can then create a new policy > Managed App Configuration.  Pick your Samsung Email app that you added to store in drop down.  Then add an exchange profile.  You can also use the built in macros to pre-populate userid, email.  Verified it works however i'm still noticing issues with managed app configs not applying upon enrollment. i have do a device refresh on my samsung s9 or pixel 2 to get said managed app configs to pull down.  

 

however.. there ya go!!! this can be applied to other email clients too. i'm working on getting the Outlook for Android app's managed config working too but still testing that one and no success yet.

 

on that note, answered. ;)

[James Selix]

after creating completely new delivery groups and only adding four basic policies; Samsung SAFE ELM macro policy still is not applying.  New enrolled samsung devices (S9 is my test device) do not show the policy applying at all in the endpoint console for the device nor is the policy shown in Policies. 

 

i am having Citrix support confirm they are able to enroll new Samsung devices into Android Enterprise on Endpoint 10.11.0.10; i have not been able to get any samsung devices to enable the SAFE Api via the ELM macro/safe policy.

 

anyone else on the latest 10.11.0.10 for Xenmobile Endpoint and able to enroll samsung devices and activate the SAFE API?

[James Selix]

bumping since Android Enterprise migration is becoming more and more pressing...