Jump to content
Welcome to our new Citrix community!
  • 0

Best Practice for Use Android in Business

Bjoumlrn Teszligmer




we have enrolled iOS now for a long time. Since 1st January we are trying so set up Android in the same way we use iOS.

I think there are some major differences and its much more complicated. Becaus of that i want to know what is the best practice to use Android for business.


I just set up Samsung Knox Mobile Enrollment (KME) to auto enroll devices directly into Citrix Endpoint Management. This works find but only in Device Admin Mode (this is the profile type in KME)

I have written some days with Citrix Support und with Samsung Support but now im just more confused than before. I would like to use Device Admin Owner in KME because this is a profile which will work with Android 10.


But maybe there are more solutions with android legacy or enterprise?

The points that should work with this should be:

- auto enrollment of secure hub 

- auto enrollement of mdx apps like in vpp (optional)

- policy based wifi (seems not to work with Samsung KME)


Maybe someone can help me to learn more about Android in combination with Endpoint Management.


Thank you

Regards form Germany



Link to comment

9 answers to this question

Recommended Posts

  • 2

Hi Björn, I'm stuck in a boring meeting so had some time to write this up. I hope it helps:


The entire Android Enterprise ecosystem has been very confusing for the past several years, but I think it's in a better place today. As a disclaimer, we use CEM for our iOS and Android devices, but we use the Samsung Knox platform (Knox Mobile Enrollment, Knox Configure, Knox Manage, Samsung E-FOTA) with our Android manufacturing and warehousing devices. There are pros and cons to both platforms, but we split our strategy depending on the environment and use case.


There are a few key items that have to be understood ahead of time about Android in general, which you may know, but I'm going to list for anyone else that reads this:

  • There are different Android flavors out there since different manufacturers use the Android OS in their own ways. You have vanilla Android provided by Google, and customized by device manufacturers like LG, Sonim, Honeywell, etc. And then you have Samsung Android.
  • Not all manufacturers that use vanilla Android support Android Enterprise or Zero Touch. It's why we don't bother with hardly any other Android devices other than Samsung. Although we have recently branched out to use some Sonim and Honeywell devices since they now support Android Enterprise.


  • Android Legacy = Device Admin --> OLD method that Google wants to get rid of.
  • Android Enterprise = Device Owner --> NEW method that Google is driving towards but has big limitations in my opinion.
  • Zero Touch = Vanilla Android out-of-box setup
  • Knox Mobile Enrollment = Samsung Android out-of-box setup

The configuration differences between Legacy and Enterprise are vast. If you're just starting out I recommend you adopt Android Enterprise (Device Owner), as that is the now and future for Android enrollment. Plus, if you start with Legacy and want to migrate to Enterprise, you will have to factory wipe each device to migrate them. A few things to note about Android Enterprise:

  • You first create a free Google Account for your organization, and after you link it with CEM, that will be used to register your apps via a private Google Play Store (that you manage via CEM) - https://docs.citrix.com/en-us/citrix-endpoint-management/device-management/android/android-enterprise.html
  • You do not have to buy G-Suite to use Android Enterprise. The whole setup is free.
  • You have to rethink how apps are provided with Android Enterprise:
    • In CEM, you now 'Approve' public apps for your users (based on CEM Delivery Group), and those apps can now be downloaded from your private Google Play Store. This includes Secure Mail, Secure Web, etc.
    • Depending on how you configure your device restrictions, users can still download apps from the public Google Play Store. This is where the separation occurs between personal and work profiles on the device. One phone may have two Chrome browsers on it, one personal and one corporate. We don't bother with that and just block Google Play Store access outright.
    • For Citrix MDX apps, you still upload those separately into CEM. This means for each Citrix Secure app, you'll have one app entry for Android Enterprise, and one for MDX.
    • For private Android Apps that you develop for internal use (not for public consumption), you now upload those into your private Google Play Store separately via CEM.
    • Quick note about CEM: your app categories become more important now as they are displayed in your private Google Play Store.

We are still using Android Legacy as it has many more controls over the device compared to Device Owner. This includes things like better app control (e.g. clear app data, run app, close app), and no nonsense with this personal vs work profile on enterprise devices. We'll move to Android Enterprise eventually.


Now onto KME:

  • Samsung Knox Mobile Enrollment (KME) only works with Samsung Android devices. There was a collaboration announced by Samsung and Google to merge Zero Touch and KME, but I have never seen this in production so not sure if it works well or not (someone chime in please if I'm wrong).
  • KME is similar to Apple Business Manager (formerly Apple DEP). It requires that you register your resellers like Verizon or AT&T to sync your purchased devices to your KME account. This way they can be setup out of the box just like iOS devices.
  • KME is region sensitive. You must have one KME account for your EMEA devices and another one for the US. This is specific based on the Samsung Android image. So if you buy a Samsung Android device from Germany, it will have the LUX image that will only enroll into your EMEA KME account. If you buy a phone from the U.S. it will have the XAA/XAR image and only enroll into your US Knox account.
  • Samsung does not support this, but if you get sent a phone or tablet with the wrong region image, you can always reimage it with the Odin tool. That's a whole other discussion.
  • Using KME to auto-push Citrix Secure Hub is easy. However, Citrix says you can use the KME JSON options to auto-enroll into Secure Hub (or at least input your server URL). I have never seen this work successfully. That was sometime last year so perhaps it's fixed now. - https://docs.citrix.com/en-us/citrix-endpoint-management/device-management/android/samsung-knox-bulk-enrollment.html
  • For auto-install of MDX apps, this depends on if you use Android Legacy and Android Enterprise. Both can auto-push apps. In CEM go to Delivery Groups and move the apps to 'Required'.
  • For Wi-Fi policy via Android Enterprise, this is still configured in CEM. So after KME pushes Secure Hub, you enroll, then the Wi-Fi policy gets pushed like any other device.

Final note - Android Enterprise works best with Android 9.0 and above. I recommend that if you have any Android 7 or 8 devices, upgrade them to at least 9 as part of your standard.


If you're interested in any of the other Samsung Knox products like Knox Manage or E-FOTA, let me know. We have a great deal of experience with these tools.

  • Like 2
Link to comment
  • 0

Hi Ryan,


thank you for that detailed explanation and for the time you took even it was in boring meeting :D

As i understand you now i need to have Android Enterprise in combination with KME to fulfill all my re quirements?

I always thought that you can only have one system at the same time. So you have to decide if you use Android Enterprise or Samsung KME but not both.

This is wrong, isn't it? 


So to get to my  destination i have to set up Android Enterprise in CME. After this i can set up a new Device Owner Profile in Samsung KME and after all this it should work and i can enroll profiles via CME for Android Enterprise on a Samsung Android which was enrolled with KME?

(Wow this sentence confused myself a little bit.)


Because we only have 3-4 devices in Device Admin mode its not so hard to migrate them to device owner. I don't know if i have time to test it today but it would be nice if you could answer if my approach is right.


Thank you

Best Regards


Link to comment
  • 0

Hi Björn, here you go:


7 hours ago, Bjoumlrn Teszligmer said:

As i understand you now i need to have Android Enterprise in combination with KME to fulfill all my re quirements?

For Samsung Android devices, yes, you will setup a KME profile using Device Owner (a.k.a. Android Enterprise), and that profile will need to be setup to auto-install Citrix Secure Hub. Once Secure Hub installs, the user will input their username and password (depending on your authentication setup). You will need to make sure that in CEM you have Android Enterprise policies configured and applied to the necessary Delivery Groups.


7 hours ago, Bjoumlrn Teszligmer said:

So to get to my  destination i have to set up Android Enterprise in CME.

Yes, you will need to do this before enrolling your first device. Citrix made it easy to configure in the CEM settings.


7 hours ago, Bjoumlrn Teszligmer said:

After this i can set up a new Device Owner Profile in Samsung KME and after all this it should work and i can enroll profiles via CME for Android Enterprise on a Samsung Android which was enrolled with KME?

You got it!




Link to comment
  • 0

Ryan, I want to thank you for being able to explain this in a manner I can understand.  I have gone crazy trying to understand the various documents related to Android Enterprise and KME provided at citrix.  It is requested that you attend more boring meetings to produce this knowledge.

What is the general preference regarding zero touch vs QR Code vs afw#xenmobile?

Link to comment
  • 0

Hi Ryan,


i had the time now to test it. I activated Android Enterprise in CEM.

After this i took a Samsung Device and enrolled it with a Device Owner profile via KME. 


I start the device and everything seems good. The device finds the right secure hub.apk and it looks good.

But it gets stuck while putting in username and password after the url of our CME (via custom Json Data)

So you can onlysee the spinning blue cirlce all the time and nothing happens.


I had the problem earlier and the solution was to swap to device admin in KME. Citrix Support and Samsung Support couldn't help that much...

Do you have an idea?


Best Regards


Link to comment
  • 0
On 1/14/2020 at 12:57 PM, Ryan Tsamouris said:

If you're interested in any of the other Samsung Knox products like Knox Manage or E-FOTA, let me know. We have a great deal of experience with these tools.

Hi Ryan, I am trying to wrap my head around what we need to get knox e-fota up and running, as well as what else those licenses can do for us. We are using CEM to manage our growing fleet of Samsung tabs and need to be able to update on OUR schedule. Knox e-fota is what I want, right? Do I need a license for each device?


Thanks in advance,



Link to comment
  • 0

Hi Fred,


Yes, E-FOTA is what you want. I wouldn't bother connecting E-FOTA to CEM. Consider E-FOTA a whole other system, and I highly, HIGHLY recommend that you purchase the E-FOTA Advanced Cloud (not on-prem). You license by your device count, so if you have 1,000 devices you purchase 1000 E-FOTA licenses, and it's easy to increase that count whenever needed. The way it works is that with CEM you will push the E-FOTA app (called Software Management), and when the app first opens it will register with your E-FOTA account if you have pre-registered it. If it is not pre-registered, then the user would need to input your E-FOTA domain and PIN to register it, which perhaps that would be done by IT when they first setup the phone with the user.


Once your devices are registered, you can manage your firmware policies and campaigns, which are managed per device model. For example, you can require that all Galaxy S9 phones are running Android 9.x so when they first enroll they are required to update. You can force updates silently or run them with user input. There are options to run them only between certain hours, as well as retry attempts, etc. The Advanced Cloud system is extremely versatile, which is why I recommend it over the other basic packages.


The most confusing part for us was figuring out how to purchase the licenses. You have to find a reseller that will sell them to you. One of our VARs became a reseller so it's easy for us to now purchase more licenses when needed.


I'll send you more info via private message that you should find useful.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...