Lately I’ve been busy with setting up a fleet of Samsung mobile phones for a customer that run custom mobile application, let’s call it Tripko.
The partner company who supplied the phones also provided us with a license for Samsung Knox Manage, which is a “Mobile device Management” a.k.a. MDM solution. We hit a few bumps along the way and I’ll explain them in this post.
First we defined a simple premise that all the phones will be locked to our Tripko application, with few additional applications like Google Chrome and Google Maps. We also locked the device to prevent users changing settings, other then WI-FI and mobile network. We also allowed the users to call local numbers and prevented roaming. Bottom line, the phone features were pretty limited.
Next, we needed to decide on how to run Tripko. Knox Manage supports many modes, but we choose Multi-app kiosk mode. The MDM provides a web interface to create Kiosk applications, where you can create them with a few clicks and apply it to a Device management profile. Generated Kiosk application is an APK which is basically a custom Android application launcher. Every time a phone is enrolled to the profile, every thing is installed automatically.
After a few dozen factory resets and tests, we came to a stable version of the management profile and kiosk application which was to our requirements. And as you can see by the number of tries the path was thorny. Here are few issues we come by.
Issue 1: Notification bar was hidden and navigation bar was displaying only back button.
The phones came with Android version 8.0 and some were mistakingly updated to version 9.0 before enrollment. Mistakingly? Who does not update their phone when the manufacturer gives us an update?
Anyway, we noticed that in case of Android version 9.0, the Kiosk application did not show the Notification bar and wrongly displayed the navigation bar below. It was like this:
We tried to fix this by applying changed device profiles and played with the settings. Nothing worked. The official statement from the Samsung support, was that the version 9.0 contains Google Api which is not yet supported in Knox Manage MDM (to my knowledge, Android 9.0 came with out of the box improvements on device management).
But then the solution emerged from the representative from our partner company that provided the phones. And it’s a hacky one :).
We created a separate Device Management Profile in Samsung Knox where Kiosk mode is turned off. That was the only difference.
Here is a procedure:
First we enrolled a factory restored phone to a device group with Kiosk application enabled. When it was done, we simply moved the device to a different device group, which had the profile with Kiosk mode turned off. After the profile was applied we clicked on the home button and selected our Kiosk application as a default launcher.
Good (or bad) thing is that Knox Manage does not remove installed applications while changing device policy profiles. Kiosk application worked and unknown reasons, so did the Navigation and notification bars! Woo-hoo!
Issue 2: Can’t access Samsung camera application while MDM profile was applied.
When creating original Application management profile we created Kiosk application which linked to three applications: Tripko, Google Chrome and Google maps. Tripko needs both to work properly, plus it also needs a camera application to grab photos. By default it is installed on the Samsung phone, but it did not run when we needed it. First we thought it was a permission issue, but it turned out that we had to white list the Camera application (actually it is some sort of permission issue).
We first created a Control application within Knox Manage MDM.
Then we put it to the white list. Sadly the terminology in Knox Manage is a bit confusing. But here it is under Enterprise policy configuration:
And then the default camera application worked as expected.
Issue 3: Poor performance of Tripko application.
As we solved the issue 2, we were happy :). But our struggle didn’t end there. After thoroughly testing Tripko we found out that it worked extremely slowly and unpredictable when taking a photo and sending it remotely to our REST API. On my personal phone worked as expected, so I decided to wipe the customer’s phone and set it up without Knox Manage. The application worked as expected! So there is clearly something limiting the performance in the bowels of the Knox Manage. Is there some sort of encryption in place that bogs down the process of taking a photo, storing and converting it?
There is indeed. After some tests and a support from Samsung we found out the reason for the issue.
A keen eye, might have spotted that we used Android Enterprise Policy for a Device Management profile in the Knox Manage MDM. That policy is using a storage encryption (of some sort) by default and it can not be turned off.
Since our application does not operate on business data and encrypted storage is not essential we wanted to turn it off and tried it out. A representative of our partner company suggested we should try to copy the Enterprise policy to Legacy policy, which does not contain encryption. And… yes! The application worked as expected under Legacy policy!
I hope this list of issues – solutions help you in time of need and save you some hours :).