Using Samsung Knox enrollment and MobileIron trying to get to a COPE solution

Aaron.Jonkers · 2018-07-18 22:45:08 UTC

Hi All,
I have recently deployed a fleet of Samsung S8/S8+ devices to our staff.

We are using Samsung Knox enrollment and have configured the profile as Google Device Owner.
We use MobileIron as our MDM solution.

A tight frame meant that little piloting and testing was done, before the main fleet was deployed.

2 main gripes from users:

too restrictive. applications are unable to work properly under these conditions e.g. locations services and access to contacts. Inaccessible from apps not deployed via corporate playstore.
wallpaper/themes cannot be changed, post MobileIron registration ??? (no corresponding policy I can find controls this)

With the release of MobileIron Core 9.7. I thought great!! The end of the restrictions are in sight.

I rolled out Core 9.7 in my test environment and duly selected the option to enable the COPE model “Managed Device with Work Profile” in the Android Enterprise configuration.

Unfortunately no Work Profile was forthcoming…
I have logged a case with MobileIron to see if they have any ideas…They seem to think my setup is Ok and should work.

Unfortunately because USB debugging is disabled by default, with Device Owner setup, I am unable to provide meaningful data to the vendors.

Has anyone out there had any luck setting up a COPE solution, using Samsung KNOX enrollment and MobileIron?

Regards,
Aaron

andrew_dawson · 2018-07-20 02:33:29 UTC

Hi Aaron,

I had previously tested 9.7.0.1 COPE with success, I can confirm 10.0.0.1 is also working on an Android 8.1.

Can you confirm;

Device details, including make/model and OS version?
Have you tested both Device Owner -> COPE and a new enrollments?
Do you get any prompts in the notification bar?
What do you see under Devices & User > Devices > Device Detail > Registration Status
Open Mobile@Work > Settings and enable “Show Configuration Warnings”
Did MobileIron support look into the Mobile@Work client logs?

,Andrew

Aaron.Jonkers · 2018-07-20 03:31:17 UTC

Hey Andrew,

Been a while. Hope you are well.

Samsung S8/S8+ OS: Android 8.0
Not sure I follow you…I have changed the Android Enterprise Config to “Managed Device with Work Profile”, left Samsung profile as Device Owner. Have tested this with new and existing enrollments.
No notifications…Assume you mean in the Mobile@work client?
Registration Status of new and existing devices is: “Work Managed Device”
No Configuration Warnings
I have supplied the logs…Not feedback as yet.

Many thanks,
Aaron

andrew_dawson · 2018-07-20 05:04:42 UTC

I can see the config change in config.prop (this can be viewed in the client log export)

<parm name="IsCOMPMode" value="true"/>

This changes from false to true when modifying the “Android Enterprise” config in Core.

I can only assume the Mobile@Work client is not doing its part to convert the device.
New device enrollments seem to be fine (with the exception of one step requiring me to re-open the client at the time of Work Profile creation, this may just be a device or v10 bug)

I believe MobileIron will have to provide a client fix for this fault.

JasonBayton · 2018-07-20 16:09:06 UTC

Without digging too deeply, I’m agreeing with this:

Samsung’s Workspace bastardised the UX of work profile, so I wouldn’t be at all surprised to see it fall over during provisioning as a COPE device… but My Note 8 on 8.0 provisions fully, creating a workspace on the managed device, so I can’t say 100%. Generally I’ve seen more issues with S than Note though.

andrew_dawson · 2018-07-20 20:51:43 UTC

I didn’t have any major issues with a fresh enrollment, just the scenario where a device in work managed, then the COPE flag is enabled in Core to make it work managed with work profile.

Do you know of this worked on the Note 8 with the above condition?

Note: When this was announced in Core 9.7 one of the MobileIron engineers seemed to think it would just convert.

JasonBayton · 2018-07-20 21:06:52 UTC

Ah ok understood.

Migration from COBO to COPE isn’t supported at all. Google suggested it would be straightforward to implement but MI didn’t agree and are still considering it.

Aaron.Jonkers · 2018-07-22 19:16:41 UTC

Thanks for your input guys, much appreciated.

I’ll put this back to MobileIron and see if I make some headway.

Thanks again.
Aaron

adam · 2018-07-25 15:03:47 UTC

You’ll need to reprovision existing devices for sure. Things can also get pretty squirrelly if you’ve allowed users to create accounts or if you’re sideloading apps into the work managed device instead of using managed Play.