CellWe EMM Admin Portal Guide

CellWe EMM Admin Portal Guide
 SAMSUNG SDS
CellWe
Enterprise Mobility
Management
Administrator’s Guide
Version 15.6
Published: July 2015
Before using this information and the product it supports, be sure to read the general
information on this page.
Publisher
Samsung SDS Co., Ltd
Address
125, 35-Gil, Olympic-Ro, Songpa-Gu, Seoul, South Korea.
Phone
+82 2 6155 3114
Email
[email protected]
Website
www.sds.samsung.co.kr
This edition applies to Samsung SDS CellWe EMM Version 1.1.2, and to all subsequent releases
and modifications thereof until otherwise indicated in new editions. Make sure you are using
the correct edition for your product.
Samsung SDS Co., Ltd. has credence in the information contained in this document. However,
Samsung SDS is not responsible for any circumstances which arise from inaccurate content or
typographical errors.
The content and specifications in this document are subject to change without notice.
Samsung SDS Co., Ltd. holds all intellectual property rights, including the copyrights, to this
document. Using, copying, disclosing to a third party or distributing this document without
explicit permission from Samsung SDS is strictly prohibited. These activities constitute an
infringement of the intellectual property rights of this company.
Any reproduction or redistribution of part or all of these materials is strictly prohibited except
as permitted by the license or by the express permission of Samsung SDS Co., Ltd. Samsung
SDS Co., Ltd. owns the intellectual property rights in and to this document. Other product and
company names referenced in this document are trademarks or registered trademarks of their
respective owners.
Copyright ⓒ 2015 Samsung SDS Co., Ltd. All rights reserved.
     
Contents
Chapter 1
Getting started with Admin Portal
1
Where to find information in help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Supported web and device browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Using the account name drop down menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Switching between admin and user portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Logging in to the user and administrator portals with silent authentication . . . . . . . . . 4
Rolling out Samsung SDS CellWe EMM User Suite to users. . . . . . . . . . . . . . . . . . . . 5
Chapter 2
Services and components overview
7
Component summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Which software is installed and where. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Using the Samsung SDS CellWe EMM User Suite for single sign-on . . . . . . . 10
Using the Samsung SDS CellWe EMM User Suite for mobile device management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Supported devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Foreign language support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Admin Portal overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Samsung SDS CellWe EMM user portal overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Selecting single sign-on or mobile device management . . . . . . . . . . . . . . . . . . . . . . . 14
Selecting an identity repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Selecting a policy service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 3
Viewing dashboards
17
Displaying user login activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 4
Managing users
19
Account sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Using the Active Directory/LDAP and user service ID repositories . . . . . . . . . . . . . . 20
Default user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Managing cloud accounts from the Users page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Managing users from their account details page . . . . . . . . . . . . . . . . . . . . . . . . 23
User Management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
•
3
     
Referencing accounts from Active Directory/LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Notifying users with Active Directory/LDAP accounts. . . . . . . . . . . . . . . . . . . 27
Simplifying logging in to cloud service portals for Active Directory/LDAP
accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Adding Samsung SDS CellWe EMM user service accounts . . . . . . . . . . . . . . . . . . . . 27
Sending invitations to users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Deleting accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Specifying a user’s application login settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 5
Managing applications
36
Deploying the Samsung SDS CellWe EMM User Portal application . . . . . . . . . . . . . 36
Viewing and sorting applications in the Apps page. . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configuring applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Application symbols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Working with applications that require the Samsung SDS CellWe EMM Browser Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Installing the Samsung SDS CellWe EMM Browser Extension for IE on remote
Windows computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Removing an application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Adding web applications by using Admin Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Adding web applications by using Samsung SDS CellWe EMM Infinite Apps . . . . . 49
Adding and deploying mobile applications using Admin Portal . . . . . . . . . . . . . . . . . 54
Using the Samsung KNOX Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Managing applications purchased in Marketplace . . . . . . . . . . . . . . . . . . . . . . . 57
Deploying web applications to KNOX containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Deploying mobile applications to KNOX containers . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 6
Managing devices
65
Enabling users to enroll devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Enrolling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Using Admin Portal to manage devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Using Active Directory Users and Computers to manage devices . . . . . . . . . . . . . . . 71
Using the device management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Working with Samsung KNOX devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Chapter 7
Managing policies
91
Using policy sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Admin Portal user’s guide
4
     
Device Management Settings - Monitoring enrolled devices . . . . . . . . . . . . . . . . . . . 95
Using device polling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Setting the “unreachable” threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Device Enrollment Settings - Enabling users to enroll devices . . . . . . . . . . . . . . . . . . 96
Authentication - Setting authentication policy controls. . . . . . . . . . . . . . . . . . . . . . . . 98
Password Reset - Setting forgotten password reset policies . . . . . . . . . . . . . . . . . . . 109
Password Settings - Setting password controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Application policies - Preventing users from adding applications. . . . . . . . . . . . . . . 114
Managing device configuration policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Mobile device configuration policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 8
Managing roles
141
Using roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Predefined roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Creating a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Adding and removing users and groups to and from roles . . . . . . . . . . . . . . . . . . . . 144
Assigning applications to and removing them from roles . . . . . . . . . . . . . . . . . . . . . 145
Creating cloud service administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Managing Samsung Marketplace roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Deleting roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Chapter 9
Managing customer cloud services
153
About customer cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Creating an cloud service for a customer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Disabling and enabling a customer cloud service . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Logging in to a customer cloud service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Creating roles that can create and manage customer cloud services . . . . . . . . . . . . . 156
Chapter 10 Managing reports
158
What’s in the Report Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Reports provided in Admin Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Access to shared reports and report data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Selecting report data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Report query syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Filtering events by time with DateFunc(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Formatting dates to strings with Formatdate() . . . . . . . . . . . . . . . . . . . . . . . . . 163
•
5
     
Selecting location data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Common events that you can search for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Working with reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Modifying applications or devices directly from a report . . . . . . . . . . . . . . . . 166
Exporting report data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Creating a new report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Copying an existing report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Sharing a report and granting report access . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Deleting a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Creating a new report folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Granting access to a report folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Report query examples: Built-in report definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Report syntax examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
SQL statements to retrieve data from tables and columns (basic) . . . . . . . . . . 171
SQL components to specify conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
SQL components to specify sorting, displaying, grouping . . . . . . . . . . . . . . . 173
SQL Function examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Chapter 11 Configuring cloud service settings
175
Customizing cloud service user interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configuring cloud connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Adding LDAP as a Directory Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Enabling email quarantining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Preparing iOS devices for mass deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Generating an APNS certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Managing your Samsung KNOX licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Enabling automatic log out from the Samsung SDS CellWe EMM user portal and Admin
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Using login suffixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Linking to the Apple Device Enrollment Program . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Setting Corporate IP ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Selecting the policy service for device policy management . . . . . . . . . . . . . . . . . . . 201
Configuring mobile device management or single sign-on only . . . . . . . . . . . . . . . . 205
Appendix 1 Installing Samsung SDS CellWe EMM cloud connectors and administrator
Admin Portal user’s guide
6
     
consoles208
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Supporting user authentication for multiple domains . . . . . . . . . . . . . . . . . . . . . . . . 211
Adding cloud connectors and administrator consoles . . . . . . . . . . . . . . . . . . . . . . . . 214
Running the Samsung SDS CellWe EMM Cloud Management Suite installer. . . . . 214
Modifying cloud connector account permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Using Active Directory certificates in devices for authentication . . . . . . . . . . . . . . . 222
Creating the certificate templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Revoking certificates for unenrolled devices . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Uninstalling the Samsung SDS CellWe EMM Cloud Management Suite software . 226
Appendix 2 List of device configuration policies
227
Common Mobile Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Passcode Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Restrictions Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
iOS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Restrictions Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Additional iOS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Application Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Bluetooth Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Device Inventory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Passcode Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Restrictions Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Roaming Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
VPN Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Wi-Fi Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Samsung KNOX Workspace Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Container settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Device Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Touchdown Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Appendix 3 Configuring the Samsung SDS CellWe EMM cloud connector
256
About the Samsung SDS CellWe EMM cloud connector and the configuration program
•
7
     
256
Using the Status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Updating the cloud connector to the latest version. . . . . . . . . . . . . . . . . . . . . . 257
Using the Cloud Connector tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Using the Logging tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Appendix 4 Configuring browsers for silent authentication
261
Configuring web browsers for silent authentication . . . . . . . . . . . . . . . . . . . . . . . . . 261
Configuring Firefox to allow silent authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Configuring Internet Explorer security zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Enabling Integrated Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 264
Adding a web site to the local intranet security zone . . . . . . . . . . . . . . . . . . . . 264
Configuring Google Chrome on Windows for silent authentication . . . . . . . . . . . . . 265
Appendix 5 Re-enrolling a device in domains with a different customer ID
Admin Portal user’s guide
266
8
Chapter 1
Getting started with Admin Portal
Welcome to Admin Portal. This is your administrator tool for managing the Samsung cloud
service applications, users, policies, and devices.
Admin Portal help is organized as a reference tool with separate chapters for each tab across
the top of the window—for example, Dashboards, Users, Apps, Devices, and Policies.
In addition, if you want to use Active Directory/LDAP accounts to authenticate cloud
service users, the help provides the instructions for installing and configuring the Samsung
SDS CellWe EMM cloud connector.
See “Where to find information in help” on page 2 for the links to each section.
If you are logging in to Admin Portal using an Active Directory account, you may be
able to log in with silent authentication. See “Logging in to the user and administrator portals
with silent authentication” on page 4 for the details.
Note
This chapter contains the following topics:

“Where to find information in help” on page 2

“Supported web and device browsers” on page 3

“Using the account name drop down menu” on page 3

“Switching between admin and user portals” on page 4

“Logging in to the user and administrator portals with silent authentication” on page 4

“Rolling out Samsung SDS CellWe EMM User Suite to users” on page 5
1

Where to find information in help
Where to find information in help
The following tables summarize where you can find information in the help.
Select this section
To see information about these topics
Services and components
overview
Start here if you are new to the Samsung SDS CellWe EMM User
Suite and the Samsung cloud service to learn about the components
and guidelines for selecting the cloud service identity repository and
policy service.
Viewing dashboards
View graphical representations of device information and user
activities.
Managing users
View the list of all Samsung cloud service user accounts and manage
Samsung SDS CellWe EMM user service accounts.
Managing applications
Assign web and mobile applications to users
Managing devices
Manage devices enrolled in the Samsung cloud service.
Managing policies
Enable user authentication policy controls, create cloud user password
policies, and, if you are using the Samsung SDS CellWe EMM policy
service for mobile device management, create mobile device policy
sets.
Managing roles
Create and manage roles for users and administrators.
Managing reports
Generate and manage reports on cloud service usage.
Configuring cloud service
settings
Configure the cloud service options.
Installing Samsung SDS
Installing and configuring the Samsung SDS CellWe EMM cloud
CellWe EMM cloud connectors connector and Cloud Manager console, including the reasons to install
and administrator consoles
a cloud connector, what you need to install the cloud connector, and
how to configure cloud connector settings.
You should review this section if you are using Active Directory
accounts to authenticate cloud service users.
List of device configuration
policies
View the Samsung cloud service mobile device policies.
Configuring the Samsung SDS Review and modify the initial Samsung SDS CellWe EMM cloud
CellWe EMM cloud connector connector settings.
Configuring browsers for silent Configure your browser to provide silent authentication to an Active
authentication
Directory account for users and administrators when they log in to the
cloud service user and administrator web portals.
Re-enrolling a device in
domains with a different
customer ID
Cloud Manager user’s guide
Help users unenroll a device from one domain and enroll it in another.
2

Supported web and device browsers
Supported web and device browsers
This version of Samsung SDS CellWe EMM User Suite has been tested with the following
web browsers:

Internet Explorer:
version 8 on Windows XP and Windows 7– for the Samsung SDS CellWe EMM user
portal only
 version 9 and 10 on Windows 7 and Windows 2008R2 server
 version 10 on Windows 2012 server and Windows 8
Mozilla Firefox: version 33 and later



Google Chrome: version 37 and later

Apple Safari: 8
For silent authentication to work correctly, some web browsers need additional
configuration (see “Configuring browsers for silent authentication” on page 261) or a
browser extension (see “Working with applications that require the Samsung SDS CellWe
EMM Browser Extension” on page 43).
On devices, the Samsung SDS CellWe EMM client and Samsung SDS CellWe EMM
WebApps open the web applications in the native browser unless that application requires a
browser extension to provide single sign-on. For these applications only, the Samsung SDS
CellWe EMM client and Samsung SDS CellWe EMM WebApps open the application in its
built-in browser.
Using the account name drop down menu
Click the arrow next to your account name to open the drop down menu.
The menu provides the following options:
Option
Click to do this
Downloads
Open a window with links that install the browser extension and
download the browser extension for Chrome, Firefox, Safari, and
Internet Explorer. See “Working with applications that require the
Samsung SDS CellWe EMM Browser Extension” on page 43 for the
details.
Reload
Update your account’s permissions, policies, and role.
When an administrator changes your role’s permissions or security
policies or role membership, it can take a while for this information to
be updated in your account. To get an immediate update, click
Reload.
Chapter 1 • Getting started with Admin Portal
3

Switching between admin and user portals
Option
Click to do this
About
Display the current cloud service version number, your region, your
customer ID, and user name.
Switch to User Portal
Open your account’s cloud service user portal. (The user portal dropdown menu for cloud service administrator accounts only has an item
to switch to Admin Portal too.)
Switching between admin and user portals
For administrator accounts only, you can switch from the admin portal to the user portal
and back without logging in each time. Click the “User Portal” link in the tab bar to open
the user portal. The tab bar in the user portal for administrators has a corresponding
“Admin Portal” link to switch you back to the admin portal.
Logging in to the user and administrator portals with
silent authentication
If you have Integrated Windows authentication enabled on the Samsung SDS CellWe EMM
cloud connector (Integrated Windows authentication is enabled by default—see
“Configuring cloud connectors” on page 181 for the details) and your browser is configured
properly (see “Configuring browsers for silent authentication” on page 261) you can log in
to Admin Portal without entering your Active Directory credentials. You simply add your
login suffix to the Admin Portal URL in the following format:
https://cloud.samsungemm.com/manage?customerID=<loginsuffix>
For example, if your Active Directory login name is [email protected], you would
enter the following:
https://cloud.samsungemm.com/manage?customerID=bigcorp.com
Similarly, users with an Active Directory account can login to the Samsung SDS CellWe
EMM user portal with silent authentication. For example, [email protected] would
enter the following URL to log in to the user portal:
https://cloud.samsungemm.com/my?customerID=bigcorp.com
See “Using login suffixes” on page 195 to learn about login suffixes.
Cloud Manager user’s guide
4

Rolling out Samsung SDS CellWe EMM User Suite to users
Rolling out Samsung SDS CellWe EMM User Suite to
users
After you have received your Samsung cloud service customer ID, you use Admin Portal to
perform the following broad series of procedures to roll out the Samsung SDS CellWe
EMM User Suite to your users:
Procedure
To do this
1
Configure mobile device
management and device policy
management
The first configuration tasks are to specify whether you
are using the Samsung cloud service for single sign-on
only or for mobile device management (the default) and
then whether you are going to use Active Directory
group policy objects or the Samsung SDS CellWe
EMM policy service to set mobile device policies.
• Set MDM or SSO: “Configuring mobile device
management or single sign-on only” on page 205
• Select policy resource: “Selecting the policy service
for device policy management” on page 201
2
Create roles for users and
administrators
You use the roles to assign applications to specific set of
users and permissions to administrators
“Managing roles” on page 141
3
Add users
How you add users to the Samsung cloud service
depends upon which identity store you are using.
If you are using the Samsung SDS CellWe EMM user
service see “Adding Samsung SDS CellWe EMM user
service accounts” on page 27
If you are using Active Directory/LDAP to authenticate
users, you don’t add their Active Directory/LDAP
accounts to the cloud service. Instead, you install the
Samsung SDS CellWe EMM cloud connector and
reference the accounts in Active Directory/LDAP. See
the following topics for more details:
• “Referencing accounts from Active Directory/
LDAP” on page 26
• “Installing Samsung SDS CellWe EMM cloud
connectors and administrator consoles” on page 208
4
Assign applications (for single sign
on)
After you have the roles defined, you add the web
applications from the Samsung SDS CellWe EMM App
Catalog and assign them to roles.
“Managing applications” on page 36
5
Define mobile device policies
If you are using the Samsung cloud service for mobile
device management, you use either Admin Portal or
Windows Group Policy Management Editor to set the
policies for mobile devices.
“Managing device configuration policies” on page 114
Chapter 1 • Getting started with Admin Portal
5

6
Rolling out Samsung SDS CellWe EMM User Suite to users
Procedure
To do this
Customize the Samsung cloud
service
Configure the remaining Samsung cloud service
settings.
“Configuring cloud service settings” on page 175
There are two important settings if your users will be
enrolling iOS-based or Samsung KNOX Workspace
devices:
• If your users will be enrolling iOS-based devices be
sure to get an Apple Push Notification Service
certificate—see “Generating an APNS certificate” on
page 190.
• If your users will be enrolling Samsung KNOX
Workspace devices or creating KNOX containers,
you need to purchase a Samsung KNOX Premium
and Workspace license keys and licenses for all of the
devices and upload the license key to the Samsung
cloud service—see “Managing your Samsung KNOX
licenses” on page 194
After you customize the Samsung cloud service settings for your environment, you are
ready for your users to log in to the Samsung SDS CellWe EMM user portal and enroll their
devices.
Cloud Manager user’s guide
6
Chapter 2
Services and components overview
The Samsung SDS CellWe EMM User Suite is a cloud-based set of services that simplify
provisioning applications, managing users, setting policies, and managing remote devices.
This chapter contains the following topics:

“Component summary” on page 8

“Which software is installed and where” on page 10

“Supported devices” on page 11

“Foreign language support” on page 12

“Admin Portal overview” on page 12

“Samsung SDS CellWe EMM user portal overview” on page 13

“Selecting single sign-on or mobile device management” on page 14

“Selecting an identity repository” on page 15

“Selecting a policy service” on page 15
7

Component summary
Component summary
The Samsung cloud service is composed of the following cloud-based services, web portals
for administrators and users, and mobile applications users can install on their iOS and
Android devices.

Policy Service: A cloud-based service that provides integrated mobile security
management. You configure policies for managing mobile device settings and the
Samsung cloud service automatically installs the policies in enrolled devices.
You can also use the Active Directory Group Policy Management Editor to set mobile
device policies. See “Selecting a policy service” on page 15 to learn more about your
options.


App Catalog: The set of SaaS web applications ready for immediate assignment to
users. Application templates are also provided so you can also assign your own web and
mobile applications and free applications from the Apple App Store. See “Managing
applications” on page 36 when you are ready to start adding applications to your cloud
service and deploying them to users.
Cloud CA: A certification authority that generates certificates for devices when you
use the Samsung SDS CellWe EMM policy service for device policy management. The
certificates are automatically generated when you enable wi-fi, VPN, or Exchange
ActiveSync policies and select certificates for authentication. The certificates are
automatically installed when the user enrolls the device.
Cloud Manager user’s guide
8




Component summary
Admin Portal administrator portal: Admin Portal is the web portal you use to
configure the Samsung cloud service, deploy web applications, manage users, generate
reports, and monitor user activity. If you are using the Samsung cloud servicefor mobile
device management, you use Admin Portal to manage the enrolled devices too.
Samsung SDS CellWe EMM user portal: The Samsung SDS CellWe EMM user
portal is your users’ interface to the Samsung cloud service. They open the user portal
from their computer’s browser to open the web applications deploy to them, monitor
their activities, and manage their cloud service profile. If you use the Samsung cloud
service for mobile device management, users can also self-manage their devices from the
user portal.
Samsung SDS CellWe EMM client: A free mobile application for Android and iOS
devices that users install on their devices to enroll their devices in the cloud service. It
provides single sign-on to the applications you deploy to them.
The Samsung SDS CellWe EMM client includes a browser that is opened in place of the
device’s default browser for web applications that require a browser extension to provide
single sign-on. This lets users run the same applications they open from their desktop
browser on their devices. If the web application does not require the browser extension,
the application opens in the user’s selected browser.


Samsung SDS CellWe EMM WebApps application (not shown): A free mobile
application that users with Samsung KNOX Workspace devices install in their Samsung
KNOX container. It provides single sign-on to the web applications you assign to the
user from inside the container.
Samsung SDS CellWe EMM Browser Extension (not shown): A free browser addon that’s required to provide single sign-on for some applications. The user portal
prompts the user to install the extension when the user opens one of these applications.
The Samsung SDS CellWe EMM user portal helps to provide Samsung SDS CellWe
EMM Browser Extension installation instructions for Firefox, Windows Explorer,
Chrome, and Safari browsers.
The browser extension can also be used to add applications that are not listed in the
Samsung SDS CellWe EMM App Catalog. See “Adding web applications by using
Samsung SDS CellWe EMM Infinite Apps” on page 49 for the details.

KNOX Portal: A website where you can purchase Samsung CellWe EMM, KNOX
Premium, and KNOX SSO for KNOX licenses and web application licenses.
The Samsung SDS CellWe EMM User Suite also includes the optional Samsung CellWe
EMM cloud connector. This is a software package you install on Windows computers inside
your firewall that lets you use your Active Directory/LDAP accounts to authenticate users
with Active Directory/LDAP accounts for access to the administrator and user portals.
Optionally, this lets you use the following:

Active Directory Certificate Service to generate user and computer certificates.
Chapter 2 • Services and components overview
9

Which software is installed and where

Active Directory Users and Computers to manage devices.

Windows Group Policy Management to manage mobile device policies.
See “Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles” on
page 208 to download and run the installer.
You install one set of cloud connectors when all of the cloud service users are in domain
trees or forests that have two-way, transitive trust relationships between the domain
controllers. If your organization has multiple, independent domain trees or forests, you
install a separate sets of cloud connectors for each tree or forest. See “Supporting user
authentication for multiple domains” on page 211 for the details.
When you use the cloud connector to authenticate Active Directory users, the installer
includes the following extensions:

Active Directory Users and Computers console extension: A console
extension that adds tabs to the mobile device’s and user’s Active Directory Properties
windows with cloud service information. When you install the console extension, you
can use Active Directory Users and Computers to manage devices.

Group Policy console extension: A console extension that adds a comprehensive
set of mobile device policies for Samsung, Android and iOS devices. When you install
this console extension, you can use Windows Group Policy Management to create group
policy objects and install them on mobile devices.
Which software is installed and where
The software you and your users install depends upon whether you are using the Samsung
SDS CellWe EMM User Suite for single sign-on, mobile device management, or both. After
you have made that decision, the components you install depend upon whether you are
using the Samsung SDS CellWe EMM user service or Active Directory/LDAP to store user
account and device data.
Using the Samsung SDS CellWe EMM User Suite for single signon
When you use the Samsung SDS CellWe EMM User Suite for single sign-on only with the
Samsung SDS CellWe EMM user service as your identity store, there is nothing for you to
install. In this environment, you use Admin Portal to assign the web applications and create
the user accounts and roles in the user service. In this case, the users log in to the Samsung
SDS CellWe EMM user portal from their browser to open the applications with single signon.
It may be necessary for users to install the Samsung SDS CellWe EMM Browser
Extension on their browser. Many popular applications require the browser extension to
provide single sign-on.
Note
Cloud Manager user’s guide
10

Supported devices
You can also provide single sign-on to the web applications from the users’ devices. In this
case, the users need to install the free Samsung SDS CellWe EMM client on their devices
and enroll their devices in the cloud service.
If you want to use your Active Directory/LDAP accounts to authenticate cloud service
users, you install the Samsung SDS CellWe EMM cloud connector and the Active Directory
Users and Computers console extension on a Windows computer inside your firewall.
Note that Active Directory Users and Computers is for Active Directory deployments only.
See “Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles” on
page 208 for the details.
Using the Samsung SDS CellWe EMM User Suite for mobile
device management
When you use the Samsung SDS CellWe EMM User Suite for mobile device management
with the Samsung SDS CellWe EMM user service as your identity store, there is nothing for
you to install. You use Admin Portal to create user accounts, create policy sets for the
devices, and deploy mobile applications.
The users install the free Samsung SDS CellWe EMM client on their devices and enroll their
devices in the cloud service. After the device is enrolled, the cloud service installs the
mobile device policies and mobile applications and deploys web applications. Users then use
the Samsung SDS CellWe EMM client to open the mobile and web applications you deploy
to them.
Users open the Samsung SDS CellWe EMM user portal from their browser to monitor their
devices and send self-service commands to them. If they are also using the user portal to
open the web applications you deploy to them, they may also need to install the Samsung
SDS CellWe EMM Browser Extension.
If you want to use your Active Directory accounts to authenticate users, you install the
Samsung SDS CellWe EMM cloud connector, the Active Directory Users and Computers
console extension, and the Group Policy console extension on a Windows computer inside
your firewall. See “Installing Samsung SDS CellWe EMM cloud connectors and
administrator consoles” on page 208 for the details.
Supported devices
If you are using the Samsung cloud service for mobile device management, it supports
enrolling the following devices and computers:

An Android device running Android 2.3 or later


Samsung KNOX Workspace devices running KNOX Enterprise SDK versions 1.x and
KNOX 2.x. This includes transparent integration with the Samsung Universal Mobile
device Management Client (UMC) and the Samsung Enterprise Gateway.
An iOS device (for example, an iPhone, iPad, or iPod Touch) running iOS 7.0 or later
Chapter 2 • Services and components overview
11

Foreign language support
Foreign language support
Foreign language support is provided for the following components:

Samsung SDS CellWe EMM user portal help

Samsung SDS CellWe EMM user portal text strings.

Admin Portal text strings
Note
Not all of the languages listed below are available for the Admin Portal text strings.
For the user and administrator portals, you select the language in the browser. For example,
to change the language in Firefox you click the Firefox drop-down menu, click Options,
and then click the Content tab. Click the Choose button to select a different language. To
change the language in Chrome, you click the browser menu, click Settings, click Show
Advanced Settings, and scroll down to Languages to choose another language.
For the Samsung SDS CellWe EMM client, you select the language in the device settings.
In this release, translations are provided for the following languages:

Brazilian Portuguese

Chinese—Simplified and Traditional

French

German

Italian

Japanese

Korean

Portuguese

Russian

Spanish
Additional languages are being added over time—see the Release Notes for the most recent
additions.
Admin Portal overview
You use Admin Portal to configure the Samsung cloud service and to perform the day-today administrative tasks. For example, you use Admin Portal to perform the following
tasks:

Assign applications to users

Create roles for users and administrators and assign cloud service permissions

Manage enrolled devices
Cloud Manager user’s guide
12

Samsung SDS CellWe EMM user portal overview

Create policy sets for the Samsung SDS CellWe EMM policy service

Monitor Samsung cloud service activity

Configure the Samsung cloud service settings

Generate reports
You manage the cloud service features using the tabs across the top of the Admin Portal
page.
Samsung SDS CellWe EMM user portal overview
See the user web portal online help for an overview.
Note You can control which users can open the user portal and when. For example, you can
configure the user portal application so that only users in specific roles can open it and they
can open it only when they are on your organization’s intranet. See “Deploying the Samsung
SDS CellWe EMM User Portal application” on page 36 for the details.
The user portal help also provides the user instructions for installing the Samsung SDS
CellWe EMM client on devices and enrolling devices in the Samsung cloud service.
Normally, you send users an invitation to get them started on the user portal—see “Sending
invitations to users” on page 33. However, users can open the user portal from their
browser by entering the following URL:
https://cloud.samsungemm.com/my
After they log in, the user portal opens to the Devices page. This, in turn, prompts them to
enroll their devices as soon as they open the user portal. Alternatively, users can click on
the Apps page to run the web applications you assigned to them. The following image shows
the Apps page in the user portal populated with web applications.
Users click Help in the title bar to open the online help and use the drop-down menu to
reload privileges and, in Settings, select the default applications filter and turn off device
tracking for devices.
Chapter 2 • Services and components overview
13

Selecting single sign-on or mobile device management
For administrator accounts only, the drop-down menu also includes an option to
switch from the user portal to the administrator portal.
Note
Selecting single sign-on or mobile device management
You can configure the Samsung SDS CellWe EMM User Suite components for single signon to web applications only or mobile device management only. You make the selection in
the Settings tab in Admin Portal.
This topic describes cloud service configuration options only. Your licenses, however,
also affect the scope and breadth of the cloud service features available to you. Talk to your
cloud service provider for the details.
Note

When you select single sign-on for web applications, you get the following:
You can assign the web applications from Admin Portal to users. The users open the
Samsung SDS CellWe EMM user portal and to open the applications. They enter their
login credentials just once. Every time they log in thereafter, the Samsung cloud service
provides silent authentication.
Single sign-on is provided for web applications that use a login name and password or
SAML (Security Assertion Markup Language) for user authentication. The Samsung SDS
CellWe EMM App Catalog includes a large and growing catalog of popular, web-based
SaaS applications that are ready for immediate assignment.
Users can also install the Samsung SDS CellWe EMM client on their mobile devices to
enroll their devices in the cloud service and log in to the same web applications from their
devices. However, they cannot use most of the device management commands provided
when you use the Samsung cloud service for mobile device management.

When you select mobile device management, you get the following:
You can define mobile device policies for enrolled devices. The user installs the Samsung
SDS CellWe EMM client to enroll the device in the Samsung cloud service. After the
device is enrolled, the cloud service updates the policies when you make changes and
provides a set of commands—for example, lock and wipe—you and the device owner
can send to the device.
This option also lets you deploy mobile applications to the devices. For example, you can
deploy free applications from Google Play or the Apple App store and mobile
applications you have developed in-house.
When you select the Samsung SDS CellWe EMM User Suite for mobile device
management, the cloud service also provides single sign on to web applications.
However, the mobile device policies available to you and the number of mobile
applications you can deploy may be license-dependent.
Note
Cloud Manager user’s guide
14

Selecting an identity repository
Selecting an identity repository
The Samsung cloud service requires an identity repository for storing data about your
organization’s users and mobile devices. You can use either or both of the following:

Samsung SDS CellWe EMM user service: The Samsung cloud service includes this builtin identity repository. When you select this option, the Samsung cloud service uses the
user service account to authenticate users and, if you are using the cloud service for
mobile device management, to store the enrolled device records.

Active Directory/LDAP: The Samsung cloud service securely connects with your
existing Active Directory/LDAP infrastructure through the Samsung SDS CellWe EMM
cloud connector to authenticate users when they log in to the web portals and enroll a
device. The Samsung cloud service does not replicate Active Directory/LDAP accounts
or attributes in the cloud service.
If you are not already using Active Directory/LDAP, you can get started right away using
the user service. You can create user accounts individually or use the bulk-import feature to
import a set of users from a CSV or Excel file.
If your organization is heavily invested in Active Directory/LDAP, you can continue to use
it as your primary identity store and use the same tools (for example, Active Directory
Users and Computers) to manage users and mobile devices. When you use Active
Directory/LDAP, your users enter their Active Directory/LDAP credentials to log in to
the Samsung SDS CellWe EMM user portal and enroll devices.
You can use both identity stores simultaneously, too. For example, even if you decide to use
Active Directory/LDAP as your primary identity store, the user service can provide a
convenient supplemental repository for the following types of users:

Emergency administrators: If there is ever a network break down to the Active
Directory domain controller, no one with just an Active Directory/LDAP account can
log in. However, if you create administrator accounts in user service, these users can log
in to Admin Portal and the user portal and launch web applications.

Temporary users: If you have temporary users—for example, customers, contractors,
and partners—who need to run your web applications, it may be easier and less risky to
add them as user service accounts rather than Active Directory/LDAP accounts.
Selecting a policy service
If you use the Samsung cloud service for mobile device management, you can use either of
two resources to set mobile device policies:

Admin Portal: You create policy sets and then link them to roles.
Chapter 2 • Services and components overview
15


Selecting a policy service
Windows Group Policy Management Editor: You create a group policy object and link
them to an Active Directory/LDAP organizational unit. You then specify the
organizational unit in the policy set that enables users to enroll devices.
The cloud service installs the policies on the role’s members’ devices only.
Both resources provide a comprehensive set of mobile device configuration policies for
managing iOS, Android, and Samsung KNOX devices. See “List of device configuration
policies” on page 227 for a summary of the policies provided.
Which service you should use depends upon which identity repositories you are using.

If some of the users who will be enrolling devices have their accounts in the Samsung
SDS CellWe EMM user service and others have their accounts in Active Directory/
LDAP, you must use the Samsung SDS CellWe EMM policy service to define policy sets
for the devices.

If all of your users who will be enrolling devices have their accounts in Active Directory,
you can use either the Windows Group Policy Management Editor or the Samsung SDS
CellWe EMM policy service.
Cloud Manager user’s guide
16
Chapter 3
Viewing dashboards
The Dashboard pages provide a getting started guide, handy summaries and graphical
representations of your cloud service usage.
The Dashboards page opens to the Getting Started page. This page provides guidelines for
each phase of cloud service deployment and provides links to the full descriptions in the
Admin Portal online help.
Use the drop down menu to select the other dashboard pages. The Overview page, for
example, provides a broad summary indicating the number of users and devices, user login
locations, Active Directory/LDAP cloud connector information, and related information.
The other Dashboards pages illustrate your mix of devices and user activities.
Use the Settings drop-down in the upper right corner to select the current page as the
default.
17

Displaying user login activity
Displaying user login activity
The map on the Overview page and the entire User Activity page show you users’ locations
when they log in to the user portal and the number of logins from each location.You can
then open the User Activity dashboard to zoom in. Hover over or click the location to show
the login activity.
For privacy reasons, user location data in Admin Portal is based on the IP address used to
access the identity platform. This IP address is often virtually assigned, so it may not reflect
the actual user portal log in location. On the user portal, users have access to their device
GPS so the location data is more accurate.
Cloud Manager user’s guide
18
Chapter 4
Managing users
The Users page in Admin Portal lists all of the user accounts in the Samsung cloud service.
This includes all of the users you create in the Samsung SDS CellWe EMM user service and,
if you are using Active Directory/LDAP for user authentication, the Active Directory/
LDAP users who have logged in to the Samsung SDS CellWe EMM user portal or enrolled
devices.
Your role must have the cloud service Users Management administrative right to view, add,
and modify user accounts.
This chapter contains the following topics:

“Account sources” on page 19

“Using the Active Directory/LDAP and user service ID repositories” on page 20

“Default user accounts” on page 21

“Managing cloud accounts from the Users page” on page 21

“Referencing accounts from Active Directory/LDAP” on page 26

“Adding Samsung SDS CellWe EMM user service accounts” on page 27

“Sending invitations to users” on page 33

“Deleting accounts” on page 34

“Specifying a user’s application login settings” on page 34
Account sources
The Source column indicates the ID repository that contains this user account.

Active Directory/LDAP. These users are authenticated using their Active Directory/
LDAP accounts. The account’s Active Directory/LDAP domain is shown in the
parenthesis.
The Samsung cloud service does not replicate Active Directory/LDAP accounts and their
attributes in the cloud service. Instead, the accounts are referenced when the user logs in
to the user portal, enrolls a device, or opens a password-protected application.
If you have multiple cloud connectors managing multiple, independent domain
trees or forests, the Source column also shows the source domain.
To use Active Directory/LDAP as a source, you must install the Samsung SDS CellWe
EMM cloud connector. See “Installing Samsung SDS CellWe EMM cloud connectors and
administrator consoles” on page 208 for the details.
Note
19

Using the Active Directory/LDAP and user service ID repositories
Any user with an Active Directory/LDAP account can log in to the Samsung SDS CellWe
EMM user portal. However, to enroll a device the user must be a member of a role with
a policy set that has Permit device enrollment policy in the Device Enrollment settings
set to Yes. See “Device Enrollment Settings - Enabling users to enroll devices” on page
96 for the details.

Cloud: These users have a Samsung SDS CellWe EMM user service account. The
account information resides in the Samsung cloud service only.
You must create cloud accounts explicitly before these users can log in to the user portal
or enroll a device. You can add cloud accounts individually or in bulk from a CSV file or
Excel spreadsheet.
Any user with a user service account can log in to the user portal. However, to enroll a
device the user must be a member of a role with a policy set that has Permit device
enrollment policy in the Device Enrollment settings set to Yes. See “Device Enrollment
Settings - Enabling users to enroll devices” on page 96 for the details.
Using the Active Directory/LDAP and user service ID
repositories
The Samsung cloud service can use Active Directory/LDAP and Samsung SDS CellWe
EMM user service accounts to authenticate users. You must have the cloud connector
installed to use Active Directory/LDAP accounts.
When the cloud service receives an authentication request, it checks the ID repositories for
the account name in the following order:
1 User service by name
2 Active Directory/LDAP user by user
3 Active Directory/LDAP user by email
4 User service by email
In addition, the Samsung cloud service uses the contact information in Active Directory/
LDAP or the cloud accounts to contact users when multifactor authentication is enabled for
logging in to Admin Portal and the Samsung SDS CellWe EMM user portal (see
“Authentication - Setting authentication policy controls” on page 98). If the contact
information is wrong, the user is not able to log in.
If you plan to use Active Directory/LDAP as your ID repository, there are some use cases
that justify creating either alternate or exclusive accounts in the Samsung cloud service:

Emergency access: If the network connection to the domain controller breaks down and
users cannot be authenticated against their Active Directory/LDAP account, they can
instead be authenticated against their cloud account. Thus, they can continue to use the
applications from the Samsung SDS CellWe EMM user portal and their devices.
Cloud Manager user’s guide
20



Default user accounts
Temporary user: Some organization’s security policy can make adding a short-term user
to Active Directory/LDAP a complex and time-consuming task. If you have a
temporary worker who needs access to just the applications you deploy through the
cloud service, it may be simpler to add the account to Samsung cloud service.
Contractors or less-trusted users: Sometimes you do not want users to have the full set
of privileges and access rights an Active Directory/LDAP account provides. In this case,
you create the account in the cloud only and these users are limited to the Samsung
cloud service applications.
Default user accounts
The Samsung cloud service creates a default Samsung SDS CellWe EMM user service
account when your organization signed up. The login name of the default account is based
on the work email account entered in the cloud service sign-up form. Generally, the login
name to the default user service account is the same as the full email account—for example,
if the email account is [email protected], the default user service account is
[email protected]
However, if the login suffix in the email account is already in use by another Samsung cloud
service customer, a number is appended to the login suffix. The login suffix is that part of
the full account name following “@”, “acme.com” in this example. For example, if
“acme.com” is already in use, the default user service account would be
[email protected] (or another number).
The account name is provided in the email you received after you signed up. You use this
account to log in to Admin Portal and the user portal. This account is automatically added
to the sysadmin role, giving you full administrator permissions in the cloud service.
Managing cloud accounts from the Users page
You create, modify, and delete Samsung SDS CellWe EMM user service accounts from
Admin Portal. You create, delete, and modify Active Directory accounts from Active
Directory Users and Computers only. You must be a member of the sysadmin role or any
Samsung cloud service role that has the User Management administrative right to create,
delete, and modify cloud accounts.
Click the column header to sort the rows.
Admin Portal provides two actions you can initiate from a user’s account listing on this
page:

Click a user to display the user’s account details page. For cloud accounts, you can edit
the account properties from this page.

Right-click a user to invoke a command on the user’s account.
Chapter 4 • Managing users
21

Managing cloud accounts from the Users page
Understanding account sources
The Source column indicates the account’s ID repository:

Active Directory/LDAP
These users are authenticated using their Active Directory/LDAP accounts. The
account’s Active Directory/LDAP domain is shown in the parenthesis.
The Samsung cloud service does not replicate Active Directory/LDAP accounts and their
attributes in the cloud service. Instead, the accounts are referenced when the user logs in
to the user portal, enrolls a device, or opens a password-protected application.
If you have multiple cloud connectors managing multiple, independent domain
trees or forests, the Source column also shows the source domain.
To use Active Directory/LDAP as a source, you must install the Samsung SDS CellWe
EMM cloud connector. See “Installing Samsung SDS CellWe EMM cloud connectors and
administrator consoles” on page 208 for the details.
Note

Cloud
These users have a Samsung SDS CellWe EMM user service account. The account
information resides in the Samsung cloud service only. You can add cloud accounts
individually or in bulk from a CSV file or Excel spreadsheet.
Understanding account statuses
The Status column indicates the account state.
Status
Indicates
Active
The user has either logged in to one of the portals or enrolled a device.
Invited
An administrator has sent an invitation to login to the user portal or enroll a device,
however, the user has not responded.
You can send an invitation when you create a Samsung SDS CellWe EMM user
service account (see “Creating a single user account in the user service” on page 28)
or separately to accounts in all sources using the Invite User button (see “Sending
invitations to users” on page 33).
The Last Invite column indicates the date and time of the most recent invitation.
When you add accounts to the user service using Bulk import (see “Bulk import user
accounts” on page 30), Admin Portal automatically sends an email invitation to all
new accounts by default.
Not Invited
The account was created in the user service but no email invitations have been sent.
Cloud Manager user’s guide
22

Managing cloud accounts from the Users page
Managing users from their account details page
When you click a user, Admin Portal displays the account details and provides a set of tabs
along the left side that offer more information about the account. The following table
describes each tab and the tasks you can perform after you click the link.
Tab
Contains
Tasks you can perform
Account
Account and profile
information
For Active Directory/LDAP accounts: You cannot
change any of these fields using Admin Portal.
For cloud accounts: You change any Account, Status,
or Profile field value.
Activity
Event log of user’s cloud
Read the user’s activity log.
Application Settings Applications with custom
login settings
You can specify login credentials for a specific
application. See “Specifying a user’s application
login settings” on page 34.
Devices
Devices enrolled by the
user
You can click the check box for one or more devices
and send a command to the device. See “Using the
device management commands” on page 74 for the
device command descriptions.
You can also click on the device to show the device’s
details page.
Roles
Admin Portal roles in
Review the user’s roles. (You change the user’s roles
which the user is a member on the Roles page.)
Provisioned
Applications
A list and status of
applications that were
provisioned to this user
None
Provisioning is available for a limited number of
applications. See the release notes for the current list.
Policy Summary
Listing of policies set for
this users
None
Click Policy Summary to see which policies are
enabled for this user. The display indicates the setting
for each policy enabled and the policy set in which
the policy is enabled. Open the policy set to change
the setting.
Note: The mobile device policy settings are only
displayed when you use the Samsung SDS CellWe
EMM policy service to manage device policy.
Modifying a user account
Click the Account tab to view a user’s account properties and status.
For Active Directory accounts, you must use Active Directory Users and Computers to
update the account details. The field values are updated in the cloud service according to
the Active Directory user verification interval you set in the cloud connector (see “Using
the Cloud Connector tab” on page 257).
For cloud accounts, you can change all of the fields in the Account tab. Be careful when you
change the user’s login suffix because this affects their role memberships and policies. If you
Chapter 4 • Managing users
23

Managing cloud accounts from the Users page
have users who will be enrolling devices or you are using mobile devices as a form of multifactor authentication, be sure to put the device’s phone number in the Mobile Number
field.
The following options can be updated anytime:
Option
Select to do this
Locked
Locks the account.
Set this field to prevent the user from logging in to the user portal or
launching applications from the Samsung SDS CellWe EMM client.
Password never expires
Overrides the default “Maximum password age” policy setting.
Regardless of the “Maximum password age” setting, the password for
this account never expires.
The default maximum password age for user service accounts is 365
days. You use the Account Security Policies > Password Settings >
Maximum password age policy on the Policies tab in Admin Portal to
reset this value.
Note: This setting and the “Require password change at next login”
setting are interdependent. If you select one, the other is reset.
Require password change at Forces users to create a new password the next time they log in.
next login (recommended) When you select this option, users are immediately prompted to create
a new password the next time they log in to the user portal with their
current password. The user is also subject to any password reset
policy controls and settings you have enabled (see “Password Settings
- Setting password controls” on page 112).
This setting is reset as soon as the user logs in and creates a new
password.
Note: This setting and the “Password never expires” setting are
interdependent. If you select one, the other is reset.
Add to Everybody role
Cloud Manager user’s guide
Adds this account to the Everybody role.
It is best practice to leave the “Add to Everybody role” setting
selected unless you plan to assign this user to a specific role. Admin
Portal uses roles to assign applications, administrative rights, and
policies to separate sets of users. You must assign a user to a role that
has the Samsung SDS CellWe EMM user portal deployed if you want
that user to have access to the Samsung SDS CellWe EMM user
portal. See “Managing roles” on page 141 for more information.
24

Managing cloud accounts from the Users page
User Management commands
Admin Portal provides several user management commands. They are displayed when you
right-click the name on the Users page and in the Actions menu on the account’s details
page.
Command
ID repository
Result
Delete
Active Directory/
LDAP and
Samsung SDS
CellWe EMM
user service
Deletes a user service account from the Samsung cloud service.
The user is no longer listed on the Users page and is no longer
able to log in to the Samsung SDS CellWe EMM user portal or
Admin Portal.
For Active Directory/LDAP user accounts, the deleted account is
only removed from the Users page. You must use Active
Directory Users and Computers to delete the Active Directory/
LDAP account.
MFA Unlock
Active Directory/
LDAP and
Samsung SDS
CellWe EMM
user service
Suspends multi-factor authentication for 10 minutes.
Multi-factor authentication requires users to perform additional
steps (such as verify their identity by email or phone call) to log
in to the Samsung SDS CellWe EMM user portal and Admin
Portal. If the user is having trouble logging in, select the user and
select this action to let the user log in with just a user name and
password.
Send email invite
Active Directory/ Sends an email to the selected users with their login account
for user portal setup LDAP and
name and a link to the user portal.
Samsung SDS
CellWe EMM
user service
Send SMS invite
for device
enrollment
Active Directory/
LDAP and
Samsung SDS
CellWe EMM
user service
Sends an SMS message with a link that downloads the Samsung
SDS CellWe EMM client to the device.
The user account must have a mobile phone number to use this
command.
Reload
Active Directory/
LDAP and
Samsung SDS
CellWe EMM
user service
Updates the user’s rights immediately to put into effect any
changes you have made to the account—for example, if you
added the user to a new role or changed the user’s administrative
privileges.
Use this command immediately after modifying the user’s role or
rights.
Sync All Apps
Active Directory/
LDAP and
Samsung SDS
CellWe EMM
user service
Force synchronization for all applicable applications.
Note: This only applies to web applications that support
provisioning.
If Sync Daily is selected, the cloud service synchronizes user
accounts for all provisioned applications for this user.
Set Password
Samsung SDS
Prompts you to reset the user’s cloud account password.
CellWe EMM
Note: You must reset the password for Active Directory/LDAP
user service only accounts by using Active Directory Users and Computers.
In the window that appears, you enter a new password for the
user.
Chapter 4 • Managing users
25

Referencing accounts from Active Directory/LDAP
Referencing accounts from Active Directory/LDAP
Generally, when you use Active Directory/LDAP accounts to authenticate cloud service
users, you do not add them to the Samsung SDS CellWe EMM cloud connector user
service. Instead, the Samsung cloud service automatically adds the Active Directory/LDAP
accounts to the Users page when they log in to the Samsung SDS CellWe EMM user portal
or enroll a device. You manage the account’s properties (for example, email address and
phone numbers), entirely in Active Directory/LDAP.
However, you do need to add an Active Directory/LDAP account to a role to deploy
applications to that user. You can add either the user’s Active Directory/LDAP account or
the user’s Active Directory/LDAP group to the role. See “Adding and removing users and
groups to and from roles” on page 144 for the details.
Notes


After you add an Active Directory/LDAP user or group to a role, the name is not listed
on the Users page until the user logs in to the user portal or enrolls a device.
The Samsung SDS CellWe EMM User Portal web application must be assigned to a role in
which users are a member before they can log in. By default, Samsung SDS CellWe EMM
User Portal is assigned to the Everybody role so this is normally not a problem. In addition,
when you use the Invite User button (see “Sending invitations to users” on page 33), the
role you specify is automatically added to the Samsung SDS CellWe EMM User Portal User
Access settings.
You can delete an Active Directory/LDAP account from either Active Directory/LDAP or
the Samsung SDS CellWe EMM user service. When you remove the account using Admin
Portal, the account is automatically deleted from the cloud service, but it is unchanged in
Active Directory.
Deleted object detection from Active Directory to Cloud Manager requires that each Cloud
Connector has permission to read the deleted objects container in Active Directory. For the
connector to detect a user account deletion performed in Active Directory and update the
Users page in Cloud Manager, you need to run a few commands on each connector. After
permission has been granted for each connector, deletions are automatically detected.

If you do not have the necessary permissions to change the permissions of the deleted
objects container, then run this command:
dsacls "CN=Deleted Objects,DC=<EXAMPLE>,DC=<COM>" /takeownership

The following command grants the Cloud Connector permission to read the deleted
objects container in Active Directory:
dsacls "CN=Deleted Objects,DC=<EXAMPLE>,DC=<COM>" /user:[email protected]<EXAMPLE.COM> /
passwd:* /g <EXAMPLE>\<MACHINENAME>$:LCRP /I:T
Cloud Manager user’s guide
26

Adding Samsung SDS CellWe EMM user service accounts
Notifying users with Active Directory/LDAP accounts
Users with Active Directory/LDAP accounts log in to the user portal and enroll devices
using their Active Directory/LDAP credentials.
To get Active Directory/LDAP users started with the cloud service, you can send them an
invitation (see “Sending invitations to users” on page 33) or you can provide the following
URL to the users and tell them to use their Active Directory/LDAP credentials to log in:
https://cloud.samsungemm.com/my
They use the same credentials to enroll devices.
Simplifying logging in to cloud service portals for Active
Directory/LDAP accounts
Users with Active Directory accounts can log in to the user portal and Admin Portal
without entering their user name and password from computers that are within your
organization’s intranet. For example, you can log in to Admin Portal without entering your
credentials by appending the login suffix to the portal’s URL as follows:
https://cloud.samsungemm.com/manage?customerid=<loginsuffix>
If you have not yet defined any other login suffixes, you can use the default suffix—your
Active Directory account’s UPN suffix. For example, if your domain name is abcorp.com,
you would enter the following URL to log in without entering your user name and
password:
https://cloud.samsungemm.com/manage?customerid=abcorp.com
See “Using login suffixes” on page 195 to learn about login suffixes.
Similarly, users can log in to the user portal by adding the login suffix to their URL. In this
case the syntax is as follows:
https://cloud.samsungemm.com/my?customerid=<loginsuffix>
Both of these methods use Integrated Windows Authentication to authenticate the user
using their Active Directory credentials and require the user to be on your organizations
intranet. You may need to reconfigure the default Integrated Windows Authentication
settings and define IP Addresses on your Samsung SDS CellWe EMM cloud connector to
use this feature. See “Configuring cloud connectors” on page 181 to configure a cloud
connector.
You can also define a login suffix as an alias for a long Active Directory/LDAP UPN suffix.
See “Creating an alias for long Active Directory domain names” on page 197 for the details.
Adding Samsung SDS CellWe EMM user service accounts
The cloud service creates a default account when your organization signed up. This account
is automatically added to the sysadmin role, giving you full administrator permissions.
Chapter 4 • Managing users
27

Adding Samsung SDS CellWe EMM user service accounts
Using this default account, you can create user accounts one-at-a-time or you can bulk
import up to 10,000 user accounts from an Excel xls/xlsx spreadsheet or a CSV file.
When you create new accounts, these users do not appear in the KNOX Marketplace
until you synchronize users. This is most important when you want to add a new user to an
application you have licensed. See the KNOX Marketplace help for the details.
Note
Creating a single user account in the user service
To create user accounts one-at-a-time:
1 Log in to Admin Portal using your administrator account.
2 Click Users.
3 Click Add User.
4 Enter a login name and select a suffix.
A user name can be composed of any of the UTF8 alphanumeric characters plus the
symbols + (plus), - (dash), _ (underscore), and . (period).
The suffix is the part of your account name that follows “@”. For example, if your
account name is [email protected], then the suffix is acme.com. By default, the
suffix associated with your default account is populated.
All login suffixes are displayed in the list, including the login suffix for any Active
Directory/LDAP domains you are using.
Important: If you select the login suffix for an Active Directory/LDAP domain, the
account is not added to Active Directory/LDAP. The account’s Source column will
indicate Cloud as the source, rather than Active Directory/LDAP.
5 Enter the email address and display name for the user.
6 Enter a password.
This is a one-time password for the user to log into the Samsung SDS CellWe EMM User
Portal when you select “Require password change at next login (recommended)” in the
Status settings. This password is replaced with the password created by the user.
The default minimum password requirements are:




8 characters
1 numeric character
1 upper case letter
1 lower case letter
See “Password Settings - Setting password controls” on page 112 to change the default
requirements.
Cloud Manager user’s guide
28

Adding Samsung SDS CellWe EMM user service accounts
7 Select the status settings.
The following options are specific to creating a new user account. You can also send these
invitations at a later time—see “Sending invitations to users” on page 33.
Option
Select to do this
Send email invite for user
portal setup
Sends an email to users with an invitation to log in to the Samsung
SDS CellWe EMM user portal.
The email contains a link to the user portal and their account login
name and a one-time password.
You can customize the email message sent when you invite users—
see “Customizing the email messages contents and logos” on page
180.
Send SMS invite for device Sends an SMS message to the mobile number in the account to help
enrollment
the user enroll the device.
To use the SMS invitation, the user’s account must have the device’s
phone number in the Mobile Number field.
The message contains a link that downloads the Samsung SDS
CellWe EMM client to the phone. Users then install the Samsung SDS
CellWe EMM client and proceed with enrolling the device. To enroll a
device, the user must be enabled to enroll devices—see“Device
Enrollment Settings - Enabling users to enroll devices” on page 96.
The following options can be updated anytime:
Option
Select to do this
Locked
Locks the account.
Set this field to prevent the user from logging in to the user portal or
launching applications from the Samsung SDS CellWe EMM client.
Password never expires
Overrides the default “Maximum password age” policy setting.
Regardless of the “Maximum password age” setting, the password for
this account never expires.
The default maximum password age for user service accounts is 365
days. You use the Account Security Policies > Password Settings >
Maximum password age policy on the Policies tab in Admin Portal to
reset this value.
Note: This setting and the “Require password change at next login”
setting are interdependent. If you select one, the other is reset.
Chapter 4 • Managing users
29

Adding Samsung SDS CellWe EMM user service accounts
Option
Select to do this
Require password change at Forces users to create a new password the next time they log in.
next login (recommended) When you select this option, users are immediately prompted to create
a new password the next time they log in to the user portal with their
current password. The user is also subject to any password reset
policy controls and settings you have enabled (see “Password Settings
- Setting password controls” on page 112).
This setting is reset as soon as the user logs in and creates a new
password.
Note: This setting and the “Password never expires” setting are
interdependent. If you select one, the other is reset.
Add to Everybody role
Adds this account to the Everybody role.
It is best practice to leave the “Add to Everybody role” setting
selected unless you plan to assign this user to a specific role. Admin
Portal uses roles to assign applications, administrative rights, and
policies to separate sets of users. You must assign a user to a role that
has the Samsung SDS CellWe EMM user portal deployed if you want
that user to have access to the Samsung SDS CellWe EMM user
portal. See “Managing roles” on page 141 for more information.
(optional) Enter information for the Profile and Organization fields.
8 Click Create User.
A notification will be sent to the newly created user via your selected method.
Bulk import user accounts
You use an Excel spreadsheet or CSV file in conjunction with the Admin Portal to bulk
import user accounts. The file can contain up to 10,000 accounts.
You should run bulk user import after you have assigned the web applications to the roles.
The Samsung cloud service sends the login email message to the new users immediately
after creating the account. If you do not have the applications assigned, the users are
presented with an empty Apps screen when they log in to the Samsung SDS CellWe EMM6
user portal.
To create the file, use the CSV file template provided (Option 1 in the import wizard) or
create the file from scratch. If you create the file from scratch, you need to create headers
Cloud Manager user’s guide
30

Adding Samsung SDS CellWe EMM user service accounts
for each field. The fields can be in any order, however, you must create headers exactly as
shown in the following table, including upper case characters and spaces.
Field
Rules
Login Name
Required
Enter the full user name, including the login suffix in the form
<login name>@<loginsuffix>
The login suffix must exist already.
Email Address
Required
You can specify one email address only.
Display Name
Optional
You can enter the display name in Excel using either format:
• first last
• last, first
If you are editing the CSV file, use quotes if you specify the last
name first (for example, “last, first”).
Description
Optional
Do not use punctuation. Limit is 128 characters.
Office Number
Mobile number
Home number
Optional
You must enter the area code. You can enter domestic US
numbers in the following forms:
• 1234567890
• 123-456-7890
Use E.164 number formatting to enter an international number.
If you are using the phone or text message options for multifactor
authentication, the Office and/or Mobile numbers must be
accurate or the user will not be able to log in.
Roles
Optional
All accounts are automatically added to the Everybody role.
You can specify multiple roles. Use a comma to separate each
role. If you are editing the CSV file, surround the roles with
quotes—for example: “role1,role2,role3”.
The role must already exist, and the names are case sensitive.
Expiration Date
Optional
Enter a date when the account expires. If you do not set a date,
the account does not expire.
Using the Bulk User Import wizard to add cloud accounts
After you create the file, use the Bulk User Import wizard to create the accounts.
To add cloud accounts using the Bulk User Import wizard:
The procedure assumes you have already created the Excel or CSV file.
1 Open Admin Portal, click the Users page, and click Bulk User Import.
Chapter 4 • Managing users
31

Adding Samsung SDS CellWe EMM user service accounts
2 Click Browse, navigate to the file, and click Open.
Then click Next to proceed to Review.
3 Review the entries.
The first 15 records are displayed. Use this display to ensure you have formated the
entries correctly.
Click Next.
4 The Samsung SDS CellWe EMM user service - Bulk Import Report field is automatically
populated with your email address. Change the address if you want the email address to
go to someone else.
5 Click Confirm.
After the wizard completes the import, the Samsung cloud service sends two email
messages:

Samsung SDS CellWe EMM user service - Bulk Import Report. This email message is
sent to the email account that you had specified to receive the report. It indicates how
many new users were specified in the file and how many were successfully added. An
explanation is provided for each failed account.

Samsung SDS CellWe EMM user service - New User Account. This email message is
sent to each user account created. The message includes a link to the user portal and a
one-time password. When users open the link, they are prompted to create a new
password (unless you have configured otherwise).
You can customize this letter—see “Customizing the email messages contents and
logos” on page 180.
Note
Cloud Manager user’s guide
32

Sending invitations to users
Sending invitations to users
If you did not send invitations for users to log in to the user portal or enroll a device, you
can do so using the Invite Users button. You can send an email and/or SMS message.
Option
Select to do this
Send email invite for user
portal setup
Sends an email to users with an invitation to log in to the Samsung
SDS CellWe EMM user portal.
The email contains a link to the user portal and their account login
name and a one-time password.
You can customize the email message sent when you invite users—
see “Customizing the email messages contents and logos” on page
180.
Send SMS invite for device Sends an SMS message to the mobile number in the account to help
enrollment
the user enroll the device.
To use the SMS invitation, the user’s account must have the device’s
phone number in the Mobile Number field.
The message contains a link that downloads the Samsung SDS
CellWe EMM client to the phone. Users then install the Samsung SDS
CellWe EMM client and proceed with enrolling the device. To enroll a
device, the user must be enabled to enroll devices—see“Device
Enrollment Settings - Enabling users to enroll devices” on page 96.
Sending an invitation
To send an invitation:
1 Open Admin Portal and click the Users tab.
2 Click Invite Users.
3 Filter your search by account source (Cloud or Active Directory/LDAP) and by user
status.
4 Enter the first characters of the user name or Active Directory/LDAP group. The search
results are filtered as you enter each character.
5 Select each account or group that you want to invite.
6 Click Invite.
7 Select the invitation method -- email and/or SMS.
8 Select the user’s role.
A default user service role is “Invited Users.” If this role does not already exist, Admin
Portal creates it. To select a different role, enter the role name in the text box.
User accounts that are not already a member of the role are added, and the Samsung SDS
CellWe EMM User Portal application is automatically assigned to that role.
Chapter 4 • Managing users
33

Deleting accounts
9 Click Send Invites.
Deleting accounts
For Samsung SDS CellWe EMM user service accounts, deleting the account means that it is
disabled and no one can log in using those account credentials. For Active Directory/LDAP
user accounts, the deleted account is only removed from the Users page. People can still use
those account credentials to log in to the Samsung SDS CellWe EMM User Suite. You must
use Active Directory Users and Computers to truly disable the account.
To delete multiple users with one command:
1 Open Admin Portal and click Users.
2 Select the relevant accounts.
3 Click Delete from the Actions menu.
4 Click Yes to confirm.
Specifying a user’s application login settings
By default, the Samsung cloud service provides single sign-on to web applications that use
SAML (Security Assertion Markup Language) or a user name and password for
authentication based on the user’s Active Directory/LDAP or Samsung SDS CellWe EMM
user service user name and password. You use the Applications Settings page to provide
different credentials for the web applications.
If you don’t specify the user name and password for the application, users are prompted to
enter them once.The cloud service saves the credentials and silently authenticates the user
for subsequent logins.
Notes


If the application prompts the user for log in credentials, you must enter the login name,
however, you do not need to enter the password. If you don’t, the user is prompted to
enter the password.
If multiple users open the application with a shared user name, you must specify the login
name and password.
To specify application settings for a user:
1 Open Admin Portal, click Users, and click the desired user.
2 Click the Application Settings link in the left pane and click Add.
The Select an Application dialog box appears.
Cloud Manager user’s guide
34

Specifying a user’s application login settings
3 Select the application for which you want to specify login settings.
Either enter a part of the application name or scroll through the list to select an
application at a time.
The Setting Username/Password dialog box appears.
4 Enter the user name or user name and password required by this application to
authenticate the user.
The user name is required for all applications. For user-password applications that
prompt users for login credentials, you can optionally specify a password. For userpassword applications that share a user name, the password is required.
Note
SAML web applications just prompt you for the account name.
5 Click OK.
The application now appears in the user’s Application Settings list. The next time the user
opens this application from the user portal or the Samsung SDS CellWe EMM client on
the user’s device, the Samsung cloud service uses these application settings to
authenticate the user.
To modify a user’s existing application login setting:
1 On the Users page, click the user account.
2 Click Applications Settings.
3 In the Application Settings area, select an application.
The Actions dropdown list provides options to delete or modify the application selection.
4 Select Modify.
Change the user name and password as necessary and click OK.
To delete a user’s existing application login setting:
1 On the Users page, click the desired user.
2 Click Applications Settings.
3 In the Application Settings area, select the application or applications you want to delete.
The Actions dropdown list provides options to delete or modify the application selection.
4 Select Delete.
5 Click Yes.
Chapter 4 • Managing users
35
Chapter 5
Managing applications
You use the Apps page in Admin Portal to assign web applications to users. If you are using
the Samsung cloud service for mobile device management, you can also deploy mobile
applications from the Apps page.
This section describes the following application management tasks:

“Deploying the Samsung SDS CellWe EMM User Portal application” on page 36

“Viewing and sorting applications in the Apps page” on page 37

“Configuring applications” on page 38

“Application symbols” on page 42

“Working with applications that require the Samsung SDS CellWe EMM Browser
Extension” on page 43

“Removing an application” on page 46

“Adding web applications by using Admin Portal” on page 46

“Adding web applications by using Samsung SDS CellWe EMM Infinite Apps” on page 49

“Adding and deploying mobile applications using Admin Portal” on page 54
If you are managing Samsung KNOX Workspace devices with a Samsung KNOX container,
there are some procedural and operational differences for deploying mobile and web
applications. See the following sections for the details.

“Using the Samsung KNOX Marketplace” on page 56

“Deploying web applications to KNOX containers” on page 58

“Deploying mobile applications to KNOX containers” on page 59
Deploying the Samsung SDS CellWe EMM User Portal
application
Users use the Samsung SDS CellWe EMM User Portal application for single-sign-on access
to deployed applications. If the relevant policies have been configured, then users can also
use the application to enroll devices and deploy applications. By default, this application is
deployed to all users in the Everybody and Invited Users roles. If the user does not belong
to either of these roles, you must assign this user to a role with the Samsung SDS CellWe
EMM User Portal application deployed before the user can access the user portal. See
“Deploying an application to a specific set of users” on page 39 for the specific deployment
instructions.
36

Viewing and sorting applications in the Apps page
Viewing and sorting applications in the Apps page
The Apps page lists all of the applications you have added to the cloud service. You can use
the column headers to sort the applications by name, type, description, and status.
Your role must have the cloud service Applications Management administrative right
to view, add, and modify applications.
Note
Application Status
An application can have one of the following statuses:

Not Configured: (mobile applications) All required fields have not been defined.


Ready to Deploy: (web applications) All required fields have not been defined and
you have not assigned the user access.
Deployed: All the required fields have been defined and user access has been assigned.
Users assigned to the roles with this application deployed can now access the application
from their Samsung SDS CellWe EMM user portal or devices.
Application Types
You can also filter the applications displayed by type. Use the Search drop-down menu to
select the type. The application types are defined as follows:
Application type
Description
Android Custom Mobile
In-house applications for Android-based devices for which you
supplied the binary file (*.apk).
Android Google Play Mobile
Android applications downloaded from Google Play.
Android Mobile
All Android applications
Bookmark Web
Web applications launched using a browser bookmark (URL
only)
Custom Mobile
All iOS and Android custom applications
iOS
iOS applications selected from the iTunes App Store. The user
downloads the application from the Apple App Store.
iOS App Store Mobile
iOS applications downloaded from the App Store
iOS Custom Mobile
In-house iOS applications for which you supplied the binary file
(*.ipa).
Mobile
All iOS and Android in-house applications.
SAML Web
Web applications that use SAML for authentication
SSO Web
Web applications that use either SAML,WS-Federation, or
vendor specific federated authentication
Chapter 5 • Managing applications
37

Configuring applications
Application type
Description
User Password Web
Web applications that use user name and password for
authentication
Web
All Web applications.
If you’re an Express customer, you can add, remove, configure, and deploy up to three web
and three mobile applications. If you’re a licensed customer, you can add, remove,
configure, and deploy unlimited web and mobile applications. If your license expires, all
web and mobile applications return to Ready to Deploy status.
Configuring applications
This section highlights the major aspects of application configuration. See Application
Configuration Help for application-specific configuration instructions.
You must be a member of the sysadmin role or a role that has Application Management
permission to configure an application or modify its settings.
When you add an application, it is listed on the Apps page, however, you must configure it
to deploy it to users.
The application configuration page contains links in the left pane that you can use to set the
application properties. Not all options in the following table are used by all applications. For
example, Web - User Password applications do not have an Application Settings option.
Options
Use to do this
Applications Settings For Web - SAML and Bookmark applications: Configure the URLs. For
Web - SAML applications only, expand Additional Options to input the
name or “target” that the mobile applications uses to find this application
and select a security certificate.
For Web- Office 365 applications:
• For Office 365 version 1 applications, enter the Office 365 administrator
user name and password application ID and expand Additional Options
to input the name or “target” that the mobile applications uses to find
this application and select a security certificate.
• For Office 365 version 2 applications, enter the Office 365 administrator
user name and password application ID and expand Additional Options
to input the name or “target” that the mobile applications uses to find
this application. Click Verify to confirm the administrator user name and
password account.
For iOS and Android custom in-house applications: Browse to and upload
the binary file.
For iOS and Android appstore applications: Enter the application package
identifier.
This option is not displayed for Web user - password applications.
Description
Cloud Manager user’s guide
Modify the application name, description, and logo. See “Modifying the
application description” on page 40 for an example.
38

Configuring applications
Options
Use to do this
User Access
Assign the application to one or more Admin Portal roles
Note: For applications purchased from the KNOX Marketplace, click
Assign Apps in Marketplace to use the KNOX Marketplace rather than
Admin Portal to assign users.
See “Deploying an application to a specific set of users” on page 39 and
“Removing an application” on page 46 for an overview of this process.
When you specify the role, you can set the application for automatic or
optional assignment—see “Configuring automatic versus optional
assignment” on page 49 for the details.
Policy
Specify access constraints that can prevent a user from opening the
application from outside the organization intranet or require multifactor
authentication. See “Setting web application access policies” on page 41
for more details.
When you put policy constraints on an application, the cloud service adds a
symbol to the application’s icons on the user portal and device. See
“Application symbols” on page 42 for a description of the symbol used.
Note: You must have a Samsung CellWe EMM IAM+ license key and
licenses to set an access policy for applications.
Account Mapping
For Web - User Password applications only: Map the application to an
individual or a shared accounts.
If you configure an application to use shared credentials (by selecting
Everybody shares a single user name), the user sees a shared icon
associated with the application.
Note: You cannot map applications for which you have enabled
Provisioning.
Changelog
View the log of changes for this application
Provisioning
Enable provisioning for this application and set provisioning properties,
such as the username and password, client ID, and preview mode.
Provisioning is not available for all applications. See User provisioning
overview in the Application Configuration help for the details.
Note: You must have a Samsung CellWe EMM IAM+ license key and
licenses to enable provisioning.
Domains
For Web - Office 365 only: Enter the domain names that you registered and
verified in Office 365.
Deploying an application to a specific set of users
You must assign applications to a role before users
The Samsung cloud service deploys web and mobile applications to members of the role or
roles you select. After you assign a web application to a role, the cloud service adds it to the
role members’ Samsung SDS CellWe EMM user portal.
For users with enrolled devices, the web applications are also displayed on the device as
follows:
Chapter 5 • Managing applications
39



Configuring applications
Android and iOS devices: Web applications are displayed on the Web Apps screen in the
Samsung SDS CellWe EMM client
On a Samsung KNOX Workspace device, web applications are displayed in Samsung
SDS CellWe EMM WebApps by default. You can also configure the device to show the
applications in the Samsung SDS CellWe EMM client and Samsung SDS CellWe EMM
WebApps.
After you assign mobile applications to a role, the Samsung cloud service adds them to the
Mobile Apps area of the Samsung SDS CellWe EMM client on the device.
You can assign applications to roles using two methods in Admin Portal:

The User Access page in the application configuration area.

The Assigned Applications page in the role configuration area.
To assign an application to a role using the User Access page:
1 Open the Admin Portal and select the Apps page.
2 Click the application and click User Access.
3 Select one or more roles.
By default, all applications are configured for automatic installation. Use the drop-down
menu to select Optional installation.
4 Click Save.
To assign an application to a role using the Assigned Applications page:
1 Open Admin Portal and click Roles.
2 Select the role to which you want to assign the application
3 Click Assigned Applications and then the Edit button.
4 Drag the application or applications in the Available pane to the Selected pane.
The Available pane lists the applications you have already added to the Apps page in
Admin Portal—it is not the full Samsung SDS CellWe EMM App Catalog.
5 Click Save.
The next time the role members open the Samsung SDS CellWe EMM user portal or
refresh their window, the application is displayed.
Modifying the application description
You can modify the application’s name, description, and icon using the Description option
associated with each application.
Cloud Manager user’s guide
40

Configuring applications
For application icon images, use a 60x60 pixel image that is one of the following file types:
PNG, JPG, GIF, or ICO.
You must be a member of the sysadmin role or a role that has Application Management
permission to modify an application’s configuration.
Note
To modify an application’s settings:
1 In the Apps page, click the application.
2 If the Description page is not displayed, click Description in the left pane.
3 Click the Name field to modify the application’s name.
4 Click the Description field to modify the application’s description.
5 To change the logo icon, click Browse and select the desired file.
6 Click Save.
Configuring automatic versus optional deployment
You have two application deployment options: automatic or optional installation. These
deployment options are handled differently for web and mobile applications.

For web applications:
When you specify Automatic installation, it is added automatically to the role members’
Samsung SDS CellWe EMM user portal, the Web Apps screen in the Samsung SDS
CellWe EMM client, and, on Samsung SDS CellWe EMM WebApps workspace devices
enabled for a KNOX mode container, in the Samsung SDS CellWe EMM WebApps
application.

When you specify Optional installation, the web application is not displayed in any of
these places, Instead, the application is only listed when the user clicks the Add Apps
button in the user portal. If the user adds the application, it displayed among the
applications deployed for automatic installation.
Mobile application deployed for automatic versus optional installation are handled
differently—see “Adding and deploying mobile applications using Admin Portal” on page
54 for the details.
Setting web application access policies
The Policy link lets you specify the following access policies for web applications:

Restrict app to clients within the Corporate IP range: The device or computer
must be inside the organization’s intranet or within specified IP ranges.
Chapter 5 • Managing applications
41

Application symbols
If the device or computer is outside the intranet or the specified IP ranges, the application
cannot be opened. You set the IP ranges using the Settings page in Admin Portal—see
“Setting Corporate IP ranges” on page 200.

Require Strong Authentication: To open the application, the user must provide the
multifactor authentication specified in the Policy Authentication settings in the Policies
tab in Admin Portal.
See “Authentication - Setting authentication policy controls” on page 98 to learn about
multifactor authentication.
Application symbols
The cloud service displays symbols in the application icon shown in the Samsung SDS
CellWe EMM user portal and in the Samsung SDS CellWe EMM client on the device. For
example, if you set the application for use when the user is on the organization’s intranet
only, the blocked symbol is added to the icon.
The symbols displayed in the user portal have the following meaning:
The key symbol means that users will be prompted to
provide an additional form of authentication besides
their user name and password when the open the
application.
The blocked symbol means that users cannot access the
application. This would happen, for example, when the
user logs in from outside the organization’s intranet
when the application’s policy says that it is intranetonly
The puzzle-piece symbol means that users must
install the Samsung SDS CellWe EMM Browser
Extension in their browser to run the application. See
“Working with applications that require the Samsung
SDS CellWe EMM Browser Extension” on page 43
for the details.
Cloud Manager user’s guide
42

Working with applications that require the Samsung SDS CellWe EMM Browser Extension
The shared symbol means that users never have to
enter any log in credentials to access the application.
The identity platform recognizes the shared
credentials configuration and automatically logs
users in using those credentials.
On devices, the following symbols are used:
Symbol
What it means
User name and password setting is required.
Users tap this symbol to enter or modify the user name and password they
use to log in to this application
Blocked. The user cannot open this application from the device.
This symbol indicates that the application is not supported on the device’s
web browser.
Blocked. You cannot open this application from your device.
This symbol indicates that the application is only available when the user is
logged in from a computer or device that is on the organization’s network.
Shared app.
Indicates that users do not need to enter any log in credentials to access the
application. The system administrator has configured for all users to use
the same log in credentials, so the identity platform automatically logs
users in using those credentials.
Working with applications that require the Samsung SDS
CellWe EMM Browser Extension
Some web applications require installation of the Samsung SDS CellWe EMM Browser
Extension to provide single sign-on. These applications appear with the jigsaw puzzle
symbol in the application icon on the Apps page in the Samsung SDS CellWe EMM user
portal.
Before users can open these applications from the user portal, they must install the browser
extension in their browser. The user has two options:

The user portal displays a banner on the Apps page above the application icons that has a
link the user can click to initiate installation.
Chapter 5 • Managing applications
43


Working with applications that require the Samsung SDS CellWe EMM Browser Extension
The user can open the application. The first time a user opens an application that
requires the browser extension, the user portal opens a pop-up that prompts the user to
initiate the installation.
Users install the browser extension once for all applications.
You can also send the link for installing the browser extension directly to users. When they
click the link, the installer identifies the user’s default browser and installs the
corresponding extension. The link and the browser extension files for Chrome, Firefox,
Safari, and Internet Explorer are provided in the Downloads item in the account name drop
down menu in Admin Portal (see “Using the account name drop down menu” on page 3).
Users do not need to install a browser extension on their devices to open these applications,
Instead, the Samsung SDS CellWe EMM client and Samsung SDS CellWe EMM WebApps
both incorporate an internal browser that provides single sign-on. When users open an
application that requires the browser extension from the Web Apps screen in the Samsung
SDS CellWe EMM client or from Samsung SDS CellWe EMM WebApps, the application is
automatically opened in the internal browser. (If the application was opened in another
browser, the cloud service cannot provide single sign-on.)
Installing the Samsung SDS CellWe EMM Browser Extension for
IE on remote Windows computers
You can automate the installation of the Samsung SDS CellWe EMM Browser Extension
(Internet Explorer version) onto remote Windows computers using a silent installation or
using a Windows Group Policy Object (GPO).
To deploy the browser extension on remote Windows computers using a “silent”
unattended installation or using a GPO, you need to specify the appropriate command line
options and Microsoft Windows Installer (MSI) file. You can also use a software distribution
product, such as Microsoft System Center Configuration Manager (SCCM), to deploy
software packages.
An automated installation may fail if remote computers do not have the appropriate
configuration. If you are installing silently or from a GPO, verify that the remote Windows
computers meet the following requirements:

The computer is running a supported Windows operating system version.


The computer is joined to Active Directory.
The computer has sufficient processing power, memory, and disk space for the browser
extension to use.

The computer has the .NET Framework, version 3.5 SP1, or later.

The computer has Windows Installer, version 3.1, or later.
Cloud Manager user’s guide
44

Working with applications that require the Samsung SDS CellWe EMM Browser Extension
To install the Samsung SDS CellWe EMM Browser Extension for Windows silently:
1 Open a Command Prompt window or prepare a software distribution package for
deployment on remote computers.
For information on preparing to deploy software on remote computers, see the
documentation for the specific software distribution product you are using. For example,
if you are using Microsoft System Center Configuration Manager (SCCM), see the
Configuration Manager documentation.
2 Run the installer for the browser extension package for a 32-bit or 64-bit architecture.
Note
If the system has a 64-bit operating system, use the 64-bit package,
SamsungIEExtensionSetup(x64.msi) .
For example, on 32-bit operating systems, run the following command:
msiexec /qn /i "SamsungIEExtensionSetup(x86).msi"
On 64-bit operating systems, run the following command:
msiexec /qn /i "SamsungIEExtensionSetup(x64.msi)"
To install the Samsung SDS CellWe EMM Browser Extension from a Group Policy Object:
1 Copy the SamsungIEExtensionSetup(x64.msi) files to a shared folder on the domain
controller or another location accessible from the domain controller.
If you are installing on a 32-bit architecture, the installer file name is
SamsungIEExtensionSetup(x86).msi . When you select a folder for the installer file, you
might want to right-click and select Share with > Specific people to verify that the
folder is shared with Everyone or with appropriate users and groups.
2 On the domain controller, click Start > Administrative Tools > Group Policy
Management.
3 Select the domain or organizational unit that has the Windows computers where you
want to deploy the browser extension, right-click, then select Create a GPO in this
domain, and Link it here.
For example, you might have an organizational unit specifically for Samsung SDS CellWe
EMM-managed Windows computers. You can create a Group Policy Object and link it
to that specific organizational unit.
4 Type a name for the new Group Policy Object, for example,
Browser Extension Deployment,
Samsung SDS CellWe EMM
then click OK.
5 Right-click the new Group Policy Object, then click Edit.
6 Expand Computer Configuration > Policies > Software Settings.
7 Select Software installation, right-click, then select New > Package.
Chapter 5 • Managing applications
45

Removing an application
8 Navigate to the folder you selected in Step 1, select the .msi installation file, then click
Open.
9 Select Published, then click OK.
10 Close the Group Policy Management Editor, right-click the Samsung
Browser Extension
SDS CellWe EMM
and verify Link Enabled is selected.
By default, when computers in the selected domain or organizational unit receive the next
group policy update or are restarted, the browser extension will be deployed and the
computer will be automatically rebooted to complete the browser extension deployment. If
you want to test deploy, you can open a Command Prompt window to log on to a Windows
client as a domain administrator and force group policies to be updated immediately by
running the following command:
gpupdate /force
For more information about how to configure and use Group Policy Objects, see the
documentation on the Microsoft Windows website.
Removing an application
After you have deployed an application to a role you can remove it either from the Apps or
Roles pages.

From the Apps page: Click the application, click User Access, and click the role‘s box to
remove the check mark.

From the Roles page: Click the Role, click the Assigned Applications Edit button, and
drag the application from the Selected pane to the Available pane.
Web applications are deleted immediately from the user’s Samsung SDS CellWe EMM user
portal and when the user refreshes the Samsung SDS CellWe EMM client on the device.
However, mobile applications are not physically removed from the device. See “Removing a
mobile application” on page 56 for the details.
Adding web applications by using Admin Portal
You can add web applications and then configure and deploy them to users in one session.
Alternatively, you can add the applications to your Admin Portal Apps page and then
configure and deploy them at a later time. The Status column shows the application status—
see “Application Status” on page 37. You need to configure an application and deploy it to a
role before users can use single-sign-on to access it.
Users can also add web applications (user password applications only) from the user
portal. See the user portal help for user specific information. You can, however, disable this
feature—see “Application policies - Preventing users from adding applications” on page 114.
Note
You can add web applications using the following methods:
Cloud Manager user’s guide
46





Adding web applications by using Admin Portal
From the Samsung SDS CellWe EMM App Catalog—see “Adding web applications from
the Samsung SDS CellWe EMM App Catalog” on page 47.
Using a template. You can use this method if the application is not in the application
catalog. See “Using a template” on page 48.
Using Samsung SDS CellWe EMM Infinite Apps. You can use this method if the
application is not in the application catalog. You can add an application using the App
Capture feature in Samsung SDS CellWe EMM Infinite Apps. See “Adding web
applications by using Samsung SDS CellWe EMM Infinite Apps” on page 49.
Cloning, exporting, and importing. Cloning is a time-saver when you need to have two
similar but not identical configurations for the same application. Importing and
exporting are useful when you want to assign an application that you have previously
assigned in another instance—for example, exporting an application from a pilot
implementation and then importing it into a production environment. See “Cloning,
exporting, and importing web applications” on page 48 for the details.
Adding web applications from the Samsung SDS CellWe EMM
App Catalog
The Samsung SDS CellWe EMM App Catalog contains an ever-expanding list of web
applications ready for assignment to users. If the web application is not in the catalog, you
can open a template in the catalog and fill in the details.
To add a web application from the App Catalog:
1 Open Admin Portal and click the Apps tab.
2 Click Add Web Apps.
The Add Web Apps window opens.
3 Use the information on the Search tab to select the application or applications.
See “Using a template” on page 48 to add an application using one of the application
templates
See “Cloning, exporting, and importing web applications” on page 48 to add an
application from another application that you previously exported.
4 Select the application or applications.
Click the Add button to select one or more applications.
You can continue to select categories and add more applications. You can add up to 30
applications in one session.
If you change your mind, click Remove.
Chapter 5 • Managing applications
47

Adding web applications by using Admin Portal
5 Click Close.
If you added just one application, Admin Portal opens the configuration window for that
application. If you added more than one application, Admin Portal opens the Apps page.
You click the application name to configure it. Click Help for this application for the
configuration instructions.
Using a template
The Samsung SDS CellWe EMM App Catalog includes templates you can open and fill in to
add applications. Click the Custom tab to display the list of templates. Click the
information icon associated with each template for a description.
To add an application from a template:
1 Open Admin Portal and click the Apps tab.
2 Click Add Web Apps.
This opens the Add Web Apps window.
3 Click the Custom tab.
4 Click Add for the template you want and click Yes in the confirmation window.
5 Click Close.
This closes the Add Web Apps window and opens the configuration window.
6 Click Help for this application for the configuration instructions.
Cloning, exporting, and importing web applications
You can clone an existing application to save yourself some time assigning applications that
have similar but different configurations. You can also export an application you have
already configured in a test environment for example, so that you can import it into your
production environment.
Cloning an application
When you need multiple instances of an application, each with a slightly different
configuration, you can generate a clone and then modify just the properties that differ in the
clone. When you create a clone, the copy has “(Cloned)” appended to the application name.
Click the clone to modify the fields you need to change (including the application name).
To clone an added on the Apps page:
1 Open Admin Portal and click Apps.
2 Right click the application and click Clone.
Cloud Manager user’s guide
48

Adding web applications by using Samsung SDS CellWe EMM Infinite Apps
Alternatively, you can open the application listing on the Apps page, click Actions, and
then select Clone.
Exporting one or more applications
You can export one or more applications that you have already configured for use in another
environment or as a back up. You can select multiple applications for export. Admin Portal
creates a zip file you can then import into the other environment to add the applications.
Note You cannot unpack the zip file and import individual applications if you export
multiple applications.
To export one or more applications:
1 Open Admin Portal and click Apps.
2 To export a single application, right click the application and click Export.
To export multiple applications, select each application and click Export in the Actions
menu.
3 Transfer the zip file to the target environment.
Importing exported applications
You add applications that you have exported using the zip file created by the Admin Portal
Export command.
Note You cannot unpack the zip file and import individual applications if you export
multiple applications.
To add applications using a zip file created by the Export command:
1 Open Admin Portal and click Apps.
2 Click the Add App button.
3 Click the Import button in the Applications Catalog window.
4 Navigate to the zip file created by the Export command and click Open.
“(Imported)” is appended to the application name on the Apps page.
5 (optional) Click the application to change the name using the Description properties.
Adding web applications by using Samsung SDS CellWe
EMM Infinite Apps
Infinite Apps is a feature of the Samsung SDS CellWe EMM Browser Extension that
simplifies adding a SaaS user-password application that is not in the Samsung SDS CellWe
Chapter 5 • Managing applications
49

Adding web applications by using Samsung SDS CellWe EMM Infinite Apps
EMM App Catalog. Infinite Apps provides the App Capture utility, which automatically
discovers the user name and password fields on the web application log in page and adds the
application to your portal Apps page. After you add the application, you can deploy it with
single sign-on to user portals and devices. If the App Capture utility cannot discover the
user name and password fields, it allows you to select them manually.
By default, users can also use the browser extension to add applications to their user portal
Apps page and devices. You can configure this setting using the “Allow users to add personal
apps” policy (see “Application policies - Preventing users from adding applications” on page
114).
This section contains the following topics:

“Installing the Samsung SDS CellWe EMM Infinite Apps” on page 50

“Adding a web application by using App Capture” on page 51

“Manually adding an application by using App Capture” on page 52
Installing the Samsung SDS CellWe EMM Infinite Apps
To use the Infinite Apps feature, you must install another version of the Samsung SDS
CellWe EMM Browser Extension in a Firefox browser. Infinite Apps only supports Firefox.
After the application is captured, users can use any browser to open it from the user portal.
After you add the extension, the App Capture utility is available from the drop-down menu
when you click the Samsung SDS CellWe EMM Browser Extension icon in the toolbar. Go
to “Adding a web application by using App Capture” on page 51 to add an application.
To install the Samsung SDS CellWe EMM Browser Extension with Infinite Apps:
1 If Firefox is not installed on your computer, install and open it.
2 Log in to Admin Portal using your system admin account.
3 In the user name drop down menu, click Downloads (see “Using the account name
drop down menu” on page 3).
4 Click the link for the Firefox browser.
5 In the pop-up window, click Allow.
The browser displays a dialog box for installing the browser extension.
6 Click Install Now.
A dialog box appears for restarting the browser.
7 Click Restart Now to restart the browser and finish installation.
After the browser restarts, the Samsung SDS CellWe EMM Browser Extension icon is
added to the toolbar. If it is not, right-click the toolbar, select Customize, and drag the
icon to the toolbar.
Cloud Manager user’s guide
50

Adding web applications by using Samsung SDS CellWe EMM Infinite Apps
Adding a web application by using App Capture
The App Capture utility is designed to discover the login user name and password fields in
the login page automatically. If it can’t find them, it gives you the option to select them
manually. In addition, it lets you select a third field for applications that require another log
in identifier, for example, a company ID.
To add an application by using App Capture:
1 Open Firefox and go to the sign-in page for the application that you want to add.
2 Click the Samsung SDS CellWe EMM Browser Extension icon in the toolbar.
If the browser extension icon is gray, then you need to log in to the Samsung SDS CellWe
EMM User Suite (user portal or Admin Portal) before continuing.
3 Click Capture.
App Capture displays a pop up window that guides you through the capture process.
After you click Capture, App Capture attempts to discover the user name and password
fields in the login page. If it is successful, it displays the message and highlights the user
name and password fields.
If App Capture is not successful or selects the wrong fields, you need to set the fields
manually. Click Set Manually and go to “Manually adding an application by using App
Capture” on page 52 to capture this application.
4 Determine how the login credentials are submitted.
If App Capture selected the user name and login fields correctly, you need to capture how
users submit their credentials for this web site. App Capture supports two cases:
 Users press the Enter key (on the keyboard) to submit their credentials.
For example, after entering the user name and password, the user clicks the Enter key
to submit their credentials to this web site.
If this is how users submit their credentials, click Next.
 Users click a separate log in or sign in button to submit their credentials.
If the application has a separate button, such as “Sign me in” in the picture, it may
require the user to click the button. In this case, you need to capture the application
manually.
Click Set Manually and go to “Manually adding an application by using App Capture”
on page 52) to complete capturing this application.
If you are not sure which method the application requires, selecting the Enter key is the
easier procedure for capturing the application and more reliable than trying to capture
the submit button. After you assign the application, try opening it from the user portal.
If single sign-on is not automated the next time you log in after you have provided your
credentials, you will need to recapture the application using the manual method.
Chapter 5 • Managing applications
51

Adding web applications by using Samsung SDS CellWe EMM Infinite Apps
5 Add an additional field, if necessary.
Some web applications have a third login field that requires the user to provide additional
login information—for example, a corporate ID.
If this web site does require an additional field, click Yes and then Next. Then click the
additional field in the application’s login screen. App Capture highlights your selection
and the pop-up window prompts you for the next entry.
You enter the value you want to put in this field (for example, your organization’s
ID number for this application) in the Advanced page when you open the application
details in Admin Portal. See the Advanced page description in “Configuring applications”
on page 38 for the details.
Note
6 (optional) Modify the application properties -- application name, description, and icon.
7 Click Finish to proceed.
8 Select where to add the application -- user portal or Admin Portal.
Adding the application to the user portal is for your use only.
Adding the application to Admin Portal allows you to assign it to other users. The Admin
Portal option is only available if you are in a role that has the Application Management
right.
9 Click Submit.
You can now assign this application to users. See “Deploying an application to a specific set
of users” on page 39.
Manually adding an application by using App Capture
If you opened the application and App Capture did not find the user name and password
fields or selected the wrong fields, use the following procedure to identify them.
In addition, you must use this procedure to add the application if you want to use a Submit
button rather than use the Enter key to proceed with the sign-in.
To set fields manually while adding an application:
1 Open Firefox and go to the sign-in page for the application that you want to add.
2 Click the Samsung SDS CellWe EMM Browser Extension icon and click Capture from
the drop-down menu.
App Capture displays a pop up window that guides you through the capture process.
3 Click Set Manually.
4 Click the <app name> Name field to identify this application’s username field.
Cloud Manager user’s guide
52

Adding web applications by using Samsung SDS CellWe EMM Infinite Apps
For example, click the Skype Name field for Skype:
App Capture tags Skype Name as the Username field and prompts you to select the
Password field.
5 Click the Password field to identify this application’s password field.
6 Select an additional login field.
Some web applications have a third login field that requires the user to provide additional
login information—for example, a corporate ID.
If this web site does require an additional field, click Yes and then Next. Then click the
additional field in the application’s login screen. App Capture highlights your selection
and the pop-up window prompts you for the next entry.
You enter the value you want to put in this field (for example, your organization’s
ID number for this application) in the Advanced page when you open the application
details in Admin Portal. See the Advanced page description in “Configuring applications”
on page 38 for the details.
Note
7 Determine how the log in credentials are submitted.
After they enter their credentials, users either press the Enter key (on the keyboard) or
click a button to submit their credentials.

Use keyboard Enter key event (Recommended): Select this option when users
press the Enter key (on the keyboard) to submit their credentials.
Capturing the Enter key is more reliable than trying to capture a sign-in button.
Click Next to continue.

Right-click the Sign in button on the Web page to capture it: Select this
option when the user must click a separate “login” or “sign-in” button to submit their
credentials to this web site.
After you select this option, right-click the login/sign-in button on the Web page to
capture it, then click Next to continue.
Chapter 5 • Managing applications
53

Adding and deploying mobile applications using Admin Portal
This option is useful if you capture using the Enter key option and deploy the
application, but your users are unable to log in. Often times, recapturing the
application and selecting the sign-in button option corrects the problem.
8 (optional) Modify the application properties -- application name, description, and icon.
9 Click Finish
10 Select where to add the application -- user portal or Admin Portal.
Adding the application to the user portal is for your use only.
Adding the application to Admin Portal allows you to assign it to other users. The Admin
Portal option is only available if you are in a role that has the Application Management
right.
11 Click Submit to add the application to the selected portal.
12 Click Close when the confirmation message appears.
Continue with “Configuring applications” on page 38 if you want to assign the application
to other users.
Adding and deploying mobile applications using Admin
Portal
This section describes adding and deploying mobile applications by using Admin Portal
from the conceptual level. See Application Configuration Help for complete, applicationspecific configuration and deployment instructions.
The Samsung SDS CellWe EMM User Suite supports the following device operating
systems:

Android

iOS
The mobile applications you add are displayed on the Admin Portal Apps page. You deploy
native device mobile applications to sets of users based on their roles. In addition, the
mobile applications that users have installed on their devices are listed in the “Installed
Applications” list when you open the device details page.
For Android devices, you can deploy any free application from Google play or an Android
application for which you have the binary (.APK) file. .
If you are deploying applications to Samsung Workspace devices with KNOX mode
version 1 containers, the application must be wrapped to be installed in the container.
Note
For iOS devices, you can deploy any free application from the Apple App Store or an iOS
application for which you have the binary—the .IPA—file. See “Installing mobile
applications on iOS devices” on page 55 for the details.
Cloud Manager user’s guide
54

Adding and deploying mobile applications using Admin Portal
If you have the binary file, you can use the Custom option in Admin Portal to add the
mobile application.
Automatic versus optional installation
When you select role for application deployment, you can select either Automatic or
Optional installation. Automatic versus optional application installation is handled
differently on Android and iOS devices.
Installing mobile applications on Android devices
On Android devices the applications you set for automatic installation are listed on the
Samsung SDS CellWe EMM client Apps screen under the Recommended banner. The
optional applications are listed under Optional.
On Android devices, a “New” button is displayed next to the application name as shown in
this screen capture. The user taps New to install the application.
On Samsung KNOX Workspace devices, the applications set for automatic installation
are installed automatically. However, if the application is configured for installation in the
KNOX mode container, it is not installed until the user creates the container.
Note
On all devices, optional applications are displayed with a “New” button and are not installed
until the user taps New.
After the application is installed, its icon is also displayed in the device’s App application.
Installing mobile applications on iOS devices
On iOS devices, mobile applications configured for automatic installation are not installed
automatically. Instead, the user is prompted to install each application you deploy.
The prompt is displayed right after the user enrolls the device or within ten minutes after
you deploy the application from Admin Portal. The dialog box indicates the server and the
application name.
The user taps Install to proceed with the installation. The application is displayed on the
home screen after installation.
Users can select Cancel to prevent installation. When users select Cancel, they are
prompted the next time they open the device to install the application. If they select cancel
again, they are not prompted anymore. They can, however, still install the application by
opening the Company Apps web clip.
Company Apps is a web clip that is installed automatically when the device is enrolled.
Users open the web clip by tapping the following icon on their home screen:
When the user opens the web clip, the screen lists the automatic and optional mobile
applications deployed to this user. The user can then click the application icon for a short
description and choose which applications to install.
Chapter 5 • Managing applications
55

Using the Samsung KNOX Marketplace
Removing a mobile application
If you don’t want to deploy a mobile application any more, you have two options:

You can just reset the role setting in the application’s User Access setting.
This leaves the application listing on the Apps page. The status is changed to “Ready to
Deploy” when it is not assigned to any roles.

You can delete the application from the Apps page.
This removes the application from all roles.
After you stop deploying a mobile application, it is no longer listed in the Samsung SDS
CellWe EMM client on Android devices and Company Apps webclip on iOS devices.
However, if the user has already installed the application, it remains installed on the device.
For example, the user can still open the application from the device’s Apps catalog.
Removing the application from the device can only be done by the user.
The same is true when a device is unenrolled from the cloud service. That is, any
application installed from the Mobile Apps screen remain installed after the device is
unenrolled.
Note
Using the Samsung KNOX Marketplace
Samsung Marketplace is a web portal that allows you to purchase and assign web
applications. With a few exceptions, you manage the applications in the Admin Portal the
same way you manage applications you add from the Samsung CellWe EMM App Catalog.
Once logged into the Admin Portal, a single click takes you directly into Marketplace
without requiring you to provide a password. When you purchase an application, you also
specify the users who are allowed to use it. Applications that you purchase in Marketplace
are immediately added to Admin Portal and displayed on the users’ user portal pages. The
applications are added to the device’s CellWe EMM WebApps application the next time the
user opens it or refreshes the Apps screen.
This section describes how to add and manage applications purchased from the KNOX
Marketplace. See, in addition, “Managing Samsung Marketplace roles” on page 149 in the
Roles chapter for additional application management details.
The following procedure is a general guide to how to purchase a Marketplace
application. See Marketplace Help for details on any part of the procedure.
Note
To purchase Samsung Marketplace applications:
1 In Admin Portal, click Apps > Visit Marketplace.
Samsung Marketplace opens in a new window.
Cloud Manager user’s guide
56

Using the Samsung KNOX Marketplace
2 Click Business Cloud Apps or type a term in the search box to find an application, for
example, ‘Box’.
3 Click the application, then select options and fill in details as necessary.
For example, you may need to choose from different subscription options, specify the
number of users, apply discount codes, and so on. You may also need to supply or update
payment information.
4 Click Continue when you have selected the options you want.
5 Fill in billing information as necessary and confirm the order when prompted to do so.
6 Click Assign Users to specify the users who can use this application.
By default, you are the only assigned users. Enter a search term to find users.
7 Select the users you want to assign to the application and click Save Changes.
Managing applications purchased in Marketplace
Applications that you purchase in Marketplace appear on the Apps page in Admin Portal
just as applications from the Samsung CellWe EMM App Catalog are displayed. However,
how you manage these Marketplace application differs in significant ways from managing
applications from the App Catalog.
On the Apps page in Admin Portal, the ‘Source’ column indicates how you obtained the
application. You can click the ‘Source’ column to sort by source, or in the filter box select
Marketplace to see just the applications that you purchased through Marketplace:
The Admin Portal creates a role for the application in the form:
knoxmarketplace_appName; for example, knoxmarketplace_samsung_sample_app in the
following figure. The Marketplace application roles are displayed on the Roles page
intermixed with applications added from the App Catalog:
Chapter 5 • Managing applications
57

Deploying web applications to KNOX containers
You can assign access controls and administrative rights to the KNOX marketplace
applications you add. See “Removing an application” on page 46 for the description of access
controls.
The administrative rights are permissions for cloud service administrators. Be careful when
you assign these permissions to a role that you don’t grant privileges to the application’s
users that they don’t deserve. See “Assigning applications to and removing them from roles”
on page 145 for a description of the rights and the procedure for assigning them to a role.
When you open a Marketplace application for modification, note the following differences
from modifying applications added from the Samsung CellWe EMM App Catalog:

You cannot add members to a Marketplace role. You must go to Marketplace to assign or
add user accounts to an application. When you do so, the new user accounts are added
to the Admin Portal role automatically.
To add or remove a role member after the initial configuration, open the
application from the Admin Portal Apps page, click User Access, and then click Assign
Apps in Marketplace. This connects you directly to the KNOX Marketplace.
You can add applications from the App Catalog to the role but you cannot add another
Marketplace application role.
Note


You cannot remove the Marketplace role from a Marketplace application. To modify
user access to a Marketplace application, you must do so in Marketplace, not in the
Admin Portal.
Deploying web applications to KNOX containers
This section is for administrators assigning web applications to Samsung KNOX Workspace
devices with a KNOX container only.
Users open the Samsung SDS CellWe EMM WebApps application installed inside a KNOX
container to launch the web applications you assign to them. When you use the Samsung
cloud service for mobile device management, Samsung SDS CellWe EMM WebApps is
automatically installed in the KNOX container when users create the KNOX container.
If you are using another mobile device management provider, users must install the
Samsung SDS CellWe EMM WebApps application by some other means. In addition,
KNOX SSO service must be enabled and the Samsung SDS CellWe EMM WebApps
application must be added to the Application SSO whitelist policy. Contact your mobile
device management provider for the procedures.
Note
You use the same procedure to assign web applications to Samsung SDS CellWe EMM
WebApps that you use to assign applications to the Samsung SDS CellWe EMM client—see
“Adding web applications by using Admin Portal” on page 46). How the web applications
are displayed on the devices depends upon whether you are using the Samsung cloud service
for single sign-on alone or mobile device management and single sign-on.
Cloud Manager user’s guide
58



Deploying mobile applications to KNOX containers
If you are using the Samsung cloud service for single sign-on only, the applications are
always displayed in Samsung SDS CellWe EMM WebApps. If users also install the
Samsung SDS CellWe EMM client outside the container the web applications are listed
on the Apps screen too.
If you are using the Samsung cloud service for mobile device management as well as
single sign on, the web applications you assign are displayed in Samsung SDS CellWe
EMM WebApps only.
In this case, the Samsung SDS CellWe EMM client installed outside the container does
not have a Web Apps screen.
Note By default, the Samsung cloud service provides single sign-on for all SAML and user
name password applications you assign to users. You can, however, disable single sign-on for
one or more devices using the mobile device Disable SSO command (see “Using Active
Directory Users and Computers to manage devices” on page 71 and “Using the device
management commands” on page 74 for the details about the mobile device commands).
Deploying mobile applications to KNOX containers
This section is for administrators deploying a mobile application to devices with a Samsung
KNOX container and are using the Samsung cloud service for Samsung KNOX device
mobile device management.
In many ways, deploying a mobile applications for installation in a Samsung KNOX
container is the same as deploying a mobile application to any Android device. That is,

You have the application’s binary .APK file.

You use Admin Portal to upload the .APK file and select a role to select which users get
the application.
You can configure the application for automatic or optional installation. If you select
automatic, the application is installed without user prompting in the KNOX container if
the container has already been created. If it has not, the application is installed
automatically right after the container is created. If the application is configured for
optional installation, the user must install it from the Samsung SDS CellWe EMM client.

The application is listed in the Samsung SDS CellWe EMM client.
Users can open the application either from the Samsung SDS CellWe EMM client in
personal mode or by clicking the application’s icon from the KNOX mode container.
For devices that have a KNOX version 2 container, you use the procedures described in
“Adding and deploying mobile applications using Admin Portal” on page 54 to deploy
mobile applications for installation in the container. However, there are a couple of
differences, especially if you are deploying applications to devices with KNOX Version 1
containers:
Chapter 5 • Managing applications
59


Deploying mobile applications to KNOX containers
For KNOX version 2 containers, you can configure Android in-house applications for
installation in either in personal mode or in the KNOX mode container.
See “Deploying inhouse Android applications to KNOX 2 containers” on page 60 for the
details.

For KNOX version 1 containers, mobile applications must be wrapped before they can
be installed. If the application is not wrapped, it is installed in personal mode.
See “Deploying wrapped mobile applications to KNOX version 1 containers” on page 61
for the details.
Applications that are downloaded from the Samsung KNOX Apps store to a KNOX
version 1 container do not need to be wrapped separately (they are already wrapped).
Note
Deploying inhouse Android applications to KNOX 2 containers
For devices with KNOX version 2 containers, you can specify whether an inhouse Android
application is installed inside the KNOX mode container or in personal mode. (This feature
is not available for applications downloaded from Google Play.)
You must have a KNOX Premium, Workspace, or EMM license to use this option. If
you do not you can install the application on the device only and the other options are
dimmed.
Note
You specify the installation destination when you configure the application. You have the
following options:

Install in the KNOX container based on Enable KNOX container policy setting.
Select Deploy to KNOX container if the “Enable KNOX Container” policy is
applied, otherwise deploy to device to install the application in the container but
only if container creation is enabled. Otherwise, install the application in personal mode.
(See “Enabling the device to allow users to create an enterprise container” on page 83 to
see how you set this policy.)
If the “Enable KNOX Container” policy is set but the user has not yet created the
container, the application is not installed in personal mode. Instead, application
installation is deferred until the container is created.
Install in the KNOX mode container.
Note

Select Install to KNOX container only to install the application in the KNOX 2
container only. If the user has not yet created the container, the application is not
installed in personal mode. Instead, application installation is deferred until the container
is created.

Install in personal mode.
Select Install to Device only to install the application in personal mode only.
Cloud Manager user’s guide
60

Deploying mobile applications to KNOX containers
If the license expires, the applications remain installed in the container, however the
container is not accessible by the user. You can continue to deploy mobile applications to a
device with an expired license, however, an error message indicates that the action cannot
be completed until the proper license is installed.
Deploying wrapped mobile applications to KNOX version 1
containers
Deploying mobile applications to devices that have a KNOX version 1 container there are
some procedural differences for the application developer and cloud service administrator:
For the application developer:

Before the user can install an Android application in a Samsung KNOX version 1
container, the application must be rebuilt by Samsung in a process referred to as “app
wrapping.”
To learn more about wrapping and get your application wrapped, go to https://
www.samsungknox.com/apps/app-wrapping.

In order for a mobile application to use single sign-on (SSO) inside of a Samsung KNOX
container, the mobile application vendor uses the Centrify for Samsung Mobile
Authentication Service (MAS) SDK to enable their mobile application for SSO.
For the cloud service administrator:

You cannot deploy an application from Google Play to a KNOX version 1 container
unless it has been wrapped.



When deploying a Samsung KNOX wrapped mobile application, use the Android
InHouse application template in the Apps catalog in Admin Portal.
When deploying a Samsung KNOX wrapped mobile application that is also configured
for SSO, you must also deploy a corresponding SAML web application to the same set of
users.
For every mobile application that uses the SSO capability, you must add the package
name to the Application SSO whitelist policy (see “Adding mobile applications that use
SSO to the Application SSO whitelist” on page 87). You get the package name from the
application developer.
Mobile applications that use the SSO capability that you deploy from Admin Portal
and the user installs from the Samsung SDS CellWe EMM clienton their device do not
need to be added to the Application SSO whitelist policy.
Note
Use the following procedure to deploy a wrapped mobile application to devices with a
Samsung KNOX version 1 container. If your mobile application was developed to use
Samsung KNOX SSO go to “How to configure mobile applications that use KNOX SSO” on
page 62 for additional deployment instructions.
Chapter 5 • Managing applications
61

Deploying mobile applications to KNOX containers
To learn about application wrapping see “How developers prepare a mobile application for
use in Samsung KNOX version 1 containers” on page 63.
To deploy a wrapped mobile application to a KNOX version 1 container:
1 Open Admin Portal and select the Apps page.
2 Click Add Mobile Apps.
3 Click Add Custom App.
4 Select Android InHouse and click Add.
5 Click Yes to confirm.
6 Click Close to exit.
The Android InHouse application configuration page is opened.
7 Click Application Help underneath the application name. Use the instructions to
configure the Application Settings and Description pages.
Note KNOX installation options (see “Deploying inhouse Android applications to KNOX
2 containers” on page 60) is not available for wrapped applications.
8 Click User Access and select all of the roles that should get this application.
If you select Automatic Install (the default), the Samsung SDS CellWe EMM client
automatically installs the wrapped application in the container. If you instead select
Optional Install, the user must open the Samsung SDS CellWe EMM client and install
the application manually.
9 Click Save.
How to configure mobile applications that use KNOX SSO
Mobile applications that use the KNOX SSO service to ask for a SAML token from inside of
a Samsung KNOX version 1 or version 2 container must have a paired web SAML
application deployed from Admin Portal to authenticate the user. SAML provides a tokenbased method for single sign-on, and the paired web application provides the Samsung cloud
service connection to acquire the token.
The Samsung SDS CellWe EMM WebApps application uses a SAML token for single
sign-on, however, it is an exception to this rule. It does not need a paired web SAML
application.
Note
Deploying a mobile application that uses a SAML token to provide SSO:
1 In Admin Portal, deploy the wrapped application as described in “Deploying wrapped
mobile applications to KNOX version 1 containers” on page 61.
Cloud Manager user’s guide
62

Deploying mobile applications to KNOX containers
2 Using either Admin Portal or the Active Directory Group Policy Management Editor,
add the application’s package name to the Application SSO whitelist policy—see “Adding
mobile applications that use SSO to the Application SSO whitelist” on page 87.
3 In Admin Portal, add, configure, and deploy a generic web SAML application for mobile
application.
You must deploy a SAML web application for every mobile application that uses Samsung
KNOX SSO installed in the KNOX container. This includes all of the mobile applications
you deploy and all mobile applications that use KNOX SSO the user installs from the
Samsung KNOX Apps store.
Depending upon the application, one of the following scenarios applies:
 Deploy the SAML application in the Add App catalog in Admin Portal that is
preconfigured for Samsung KNOX SSO.
 Deploy the SAML application in the Add App catalog in Admin Portal that you can
configure for use with Samsung KNOX SSO. For example, Box, Dropbox, and so
forth.

If your SAML application isn’t already in the Add App catalog in Admin Portal, deploy
and configure a generic SAML application profile. The mobile application developer
provides the configuration parameters for the SAML application profile.
The following conditions apply to the web SAML application:
 The App ID has to be the same as the text string that is specified as the target in the
getSecurityToken(target) code of the wrapped mobile application.
 There can only be one SAML application deployed using the name used by the wrapped
mobile application. For example, you cannot have two Box SAML applications
configured.
4 In the User Access tab of the Application Settings dialog box, assign the web SAML
application to the same roles to which you assigned the mobile applications. (See
“Assigning applications to and removing them from roles” on page 145.)
The cloud service deploys the web SAML application to the role members. This web
SAML application does not, however, appear in Samsung SDS CellWe EMM WebApps.
How developers prepare a mobile application for use in Samsung
KNOX version 1 containers
Mobile applications must be customized in a process called “app wrapping” before you can
install them in the Samsung KNOX version 1 container. To learn more about wrapping and
get your application wrapped, go to https://www.samsungknox.com/apps/app-wrapping.
The customization consists of the following broad steps:
1 Configure for SSO (optional).
Chapter 5 • Managing applications
63

Deploying mobile applications to KNOX containers
The mobile application developer uses the Centrify for Samsung Mobile Authentication Service
(MAS) SDK to enable the mobile application for single sign-on. Not all applications are
appropriate for SSO; for example, you don’t need SSO for an application that doesn’t
require a login (such as a clock, for example).
In addition to providing the APK file you need the following information from the
application developer to deploy a generic SAML web application for the mobile
application. (See “How to configure mobile applications that use KNOX SSO” on page 62
for deploying applications that use the KNOX SSO capability.)
 The text string that is specified as the target in the getSecurityToken(target) code of
the mobile wrapped application. This text string must match the App ID in the Admin
Portal application settings.
 The application package name.You’ll use the application package name if you need to
add the application to Samsung KNOX SSO whitelist.
2 Wrap the application’s APK file.
The mobile application developer produces the binary APK file. However, the APK file
must be wrapped before it can be installed in the Samsung KNOX container.
Wrapping is an automated service that unpacks the application's original APK file,
extracts the certificate, and repackages the application into a new APK package with a
digital signature and KNOX container specific certificate. The service also provides QA
testing to confirm device compatibility and inspects for malware and risk behaviors. To
learn more about wrapping and get your application wrapped, go to https://
www.samsungknox.com/apps/app-wrapping.
3 Distribute the wrapped binary.
You can use Admin Portal to distribute the wrapped application. the Samsung SDS
CellWe EMM client automatically determines if the application is wrapped and installs it
inside the KNOX container, not outside with the other Android applications.
Note If you are deploying a mobile application that uses SSO, there are some additional
deployment steps required. These are described in the next topic
Cloud Manager user’s guide
64
Chapter 6k
Managing devices
The Devices page lists all of the devices that have been enrolled in the Samsung cloud
service. This page is blank until devices are enrolled. You can use the column headers to
sort the applications by name, type, description, and status.
Your role must have the cloud service Devices Management administrative right to
view and manage the devices.
Note
You use Admin Portal to manage devices enrolled in the Samsung cloud service. See
“Supported devices” on page 11 for the list of mobile devices that can be enrolled in the
cloud service and their operating system requirements. The Devices page in Admin Portal
lists the enrolled devices and provides you details about the device configuration, installed
applications, and activity.
You can also install mobile device policies and mobile applications on enrolled devices.
See “Managing device configuration policies” on page 114 and “Adding and deploying mobile
applications using Admin Portal” on page 54 for the details.
Note
If you are using Active Directory accounts for user authentication, you can also use Active
Directory Users and Computers to perform many of the same management functions. The
Devices page in Admin Portal lists the devices enrolled by all users. However, Active
Directory Users and Computers lists only the devices enrolled by users with Active
Directory accounts.
By default, the Samsung cloud service is set to provide mobile device management.
However, you can reset this option to provide just single sign-on for web applications. See
“Configuring mobile device management or single sign-on only” on page 205 to reset this
option. When you configure the Samsung cloud service for single sign-on only, Admin
Portal page still lists the enrolled devices, however, your device management options are
limited. For example, most of the commands are not available.
This chapter contains the following topics:

“Enabling users to enroll devices” on page 66

“Enrolling a device” on page 67

“Using Admin Portal to manage devices” on page 70

“Using Active Directory Users and Computers to manage devices” on page 71

“Using the device management commands” on page 74

“Working with Samsung KNOX devices” on page 80
65

Enabling users to enroll devices
Enabling users to enroll devices
You use the Samsung cloud service for mobile device management (see “Configuring mobile
device management or single sign-on only” on page 205) to enable users to enroll devices in
the Samsung cloud service. When devices are enrolled, you can manage them in Admin
Portal, install mobile device policies, and deploy mobile applications to select sets of
devices.
You enable users to enroll devices by adding them to a role that has the Permit device
enrollment policy set to Yes.
To enable users to enroll devices:
1 Open Admin Portal, click Roles
2 Either create a new role or select an existing role.
3 Click Members and Add.
4 On the Add Members window:
a Enter the first few letters of the user, role, or Active Directory/LDAP account/
group you want to add and click the search icon.
b Select the relevant user, role, or Active Directory/LDAP account/group and click
Add.
5 Click Save to save the changes.
6 Click Policies and either click Add Policy Set or select an existing policy.
7 Expand Mobile Device Policies, and click Device Enrollment Settings.
8 Select Yes in the Permit device enrollment policy.
9 Configure the remainder of the policies.
See “Device Enrollment Settings - Enabling users to enroll devices” on page 96 for the
details.
10 Click Save.
11 Click Policy Settings.
12 Click Apply policy to specified roles and select the role you created or selected in
Step 2.
13 Click Save.
Cloud Manager user’s guide
66

Enrolling a device
Enrolling a device
The Samsung cloud service requires the device owners to enroll the device regardless of
whether it is used for single sign-on or mobile device management.
Before they can enroll a device, however, the users’ account must have the enroll device
permission. See “Enabling users to enroll devices” on page 66 for the details.
Users enroll their devices using the following methods:

For Android devices: Users install the Samsung SDS CellWe EMM client for Android on
the device.
Users with Samsung KNOX devices that have the Universal MDM Client (UMC)
installed can enroll their devices by entering just their user name and password—see
“Enabling Samsung KNOX UMC login suffix updates” on page 206 for an overview of the
UMC.

For iOS devices: Users install the Samsung SDS CellWe EMM client for iOS on the
device.
If your organization is using the Apple Device Enrollment Program, you can have the
Samsung SDS CellWe EMM client installed automatically on the device. If you use this
program, however, you cannot unenroll the device. See “Linking to the Apple Device
Enrollment Program” on page 198 for the details.
Users can get the Samsung SDS CellWe EMM client from a number of places. For example:

They can click Add Devices from the Samsung SDS CellWe EMM user portal. From the
pop up window, users can use a QR reader to download the application from Google
Play or the Apple App Store, send an SMS message to the device with a link that
downloads the application, or get a link they can enter in the device’s browser to
download the application.


You can send them an SMS message using the SMS Invite command.
You can email the same link or download the Samsung SDS CellWe EMM client and
email it to your users.
Application installation is described in the user portal. See the user portal help for the
Samsung CellWe EMM application installation and enrollment instructions for each device.
What happens when a device is enrolled
When the user enrolls a device, the Samsung cloud service performs the following actions:

The device is added to the Devices page in Admin Portal.
If the user has an Active Directory account, the device is also added to the Active
Directory organizational unit specified in the Device Enrollment Settings.
Chapter 6 • Managing devices
67


Enrolling a device
The web applications assigned to the user are added to the Web Apps screen in the
Samsung SDS CellWe EMM client or Samsung SDS CellWe EMM WebApps screen.
Samsung KNOX Workspace devices that are enabled to have a KNOX container do
not have the Web Apps screen. Instead, the cloud service lists the web applications to the
Samsung SDS CellWe EMM WebApps application.
The device is added to the user’s Devices page in the Samsung SDS CellWe EMM user
portal.
Note


If the user enrolls multiple devices, the first is device enrolled is designated as the
primary device. The primary device is the only device that can be used with the Mobile
Authenticator (see “Authentication - Setting authentication policy controls” on page 98).
The user can change the primary device designation in the user portal.
When you use the Samsung cloud service for mobile device management, it also performs
the following actions:

The mobile applications are deployed to the devices.
On Android devices, the mobile applications are added to the Apps screen in the Samsung
SDS CellWe EMM client (see “Installing mobile applications on Android devices” on page
55).
On iOS devices, the user is prompted to install the mobile applications set for Automatic
Install (see “Installing mobile applications on iOS devices” on page 55).

The mobile device policies defined in either the Samsung SDS CellWe EMM policy
service policy set or the Windows group policy object are installed.
You can use the policies to set Samsung and iOS devices into kiosk—single
application—mode. After this policy and the application are installed, the device always
opens into the specified application and that’s the only application that can be run. See
“Using the Samsung KNOX Device Settings” on page 124 and “Using iOS settings” on
page 122 for more information about kiosk mode.
If you created a wi-fi, VPN, or Exchange profile that uses a certificate for authentication,
one or more certificates are automatically installed.
Note

If you are using the Samsung SDS CellWe EMM policy service for device policy
management, a certificate is automatically issued by the Samsung SDS CellWe EMM
cloud CA and installed in the device by the cloud service. If you are using Active
Directory group policy, the certificates (user and/or computer) are automatically issued
by your designated Active Directory certification authority (see “Using Active Directory
certificates in devices for authentication” on page 222) and installed in the device by the
cloud service.
Cloud Manager user’s guide
68

Enrolling a device
Device status
Admin Portal shows the device status for all devices that have been enrolled in the cloud
service on the Devices page.
You can also see the state of devices enrolled by users with Active Directory/LDAP
accounts in Active Directory Users and Computers. See “Using Active Directory Users and
Computers to manage devices” on page 71 for the details.
Note
There are four status values:

Enrolled: The device has been successfully enrolled by the user


Enrolling: The devices is in the process of enrolling
Unreachable: The device has not been in contact with the cloud service for an
administrator-defined number of days (see “Device Management Settings - Monitoring
enrolled devices” on page 95).
If the device is labelled “unreachable,” it returns to “Enrolled” the next time to user opens
the Samsung SDS CellWe EMM client on the device. A device that is unreachable is not
unenrolled.

Unenrolled: The device has been unenrolled either by an administrator or the user.
The device listing remains in Admin Portal, the Samsung SDS CellWe EMM user portal,
and Active Directory (for devices enrolled by users with Active Directory accounts only)
after it is unenrolled or unreachable and remains listed until the device is manually deleted
by a cloud service administrator or the user.
Location tracking
If location tracking is enabled, the device’s location is displayed in a map on the Devices
screen in the user portal.
Users can turn location tracking on and off in the device’s Settings menu in the user portal.
You can turn location tracking off (location tracking is enabled by default) using the “Report
mobile device location” mobile device policy (see “Restrictions Settings” on page 230).
In iOS devices, the Samsung SDS CellWe EMM client does not use GPS location tracking.
(Using GPS hardware is very battery-expensive.) Instead, it uses the device’s significantchange location service. This produces updates only when there has been a significant
change in the device’s location, for example 500 meters or more. In addition, significantchange location tracking is event-based. This means that the application sleeps until there is
a significant location change. Consequently, location tracking does not have any significant
impact on battery consumption.
The Apple Location icon shown on the top status bar or in the Privacy > Location
Settings does not differentiate between GPS and significant-change location tracking.
Note
Chapter 6 • Managing devices
69

Using Admin Portal to manage devices
In Android devices, the Samsung SDS CellWe EMM client is configured for low power
consumption. To confirm, open the device’s Settings > Location. The Samsung SDS
CellWe EMM client listing shows “Low battery use.”
Using Admin Portal to manage devices
Admin Portal lists all of the devices that have been enrolled in the Samsung cloud service on
the Devices page. You can use the drop down menu (“All Devices” in the picture) to select
devices of a specific type. You can click the column header to sort the listed devices. You use
this page to view the device properties and issue commands to one or more devices. This
page is empty until users enroll their mobile devices.
The following figure illustrates a sample Devices page populated with devices with different
status.
Click on a device to display a separate page that shows the device details and, if you are
using the Samsung cloud service for mobile device management, the device activities and
installed mobile applications. If you are using another service for mobile device
management, the Installed Applications and Device Activity pages are blank.
To search for a device or devices, enter the first few characters of the information from any
field. Admin Portal automatically filters the list for the matching devices. For example, you
can enter the first few characters of the user’s name, serial number, or model to select a
device.
Sending commands from Admin Portal
Admin Portal provides commands you can send to an enrolled device. (If the device is
unenrolled you can just delete it.) You can display the commands using any of three
methods:

Right-click the device on the Devices page.
Admin Portal displays a pop up menu with the commands. Use this method to send a
command to one device at a time

Click the check box of one or more devices on the Devices page.
Cloud Manager user’s guide
70

Using Active Directory Users and Computers to manage devices
Admin Portal displays a pop-up Actions menu with the commands.

Click the device.
Admin Portal opens the device details page. The commands are provided in the Actions
menu.
See “Using the device management commands” on page 74 for the command descriptions.
Some commands are available for specific types of devices only.
To run these commands you must be a member of a Admin Portal role that has Device
Management rights. Members of the sysadmin role have this permission. If you are not a
sysadmin, go to the Users page in Admin Portal and open your account to see your roles.
Then open the Roles page and select your role or roles to see the rights assigned to you.
Note
To send a command from the Devices page to a single device:
1 Open Admin Portal and click Devices.
2 Right-click the device.
Admin Portal overlays a pop up window with the commands.
3 Click the command.
Admin Portal displays a drop down message indicating that the command has been issued.
To send a command from the device details page:
1 Open Admin Portal and click Devices.
2 Select a device.
Click the Actions menu. See “Using the device management commands” on page 74 for
the command descriptions.
3 Click the command.
Admin Portal displays a drop down message indicating that the command has been issued.
Using Active Directory Users and Computers to manage
devices
If you are using Active Directory group policy for device policy management, you can use
Active Directory Users and Computers to manage enrolled devices. The cloud service
stores a record of each enrolled device in the Active Directory organizational unit you
specified in the Device Enrollment Settings—see “Device Enrollment Settings - Enabling
users to enroll devices” on page 96.
The device’s Properties window has the following additional tabs:
Chapter 6 • Managing devices
71



Using Active Directory Users and Computers to manage devices
CellWe EMM Mobile: Displays the device properties, state, logging settings, and
network traffic and phone record.
Installed Applications: For Android devices, all of the mobile applications installed
on the device are listed. For iOS devices only the mobile applications installed using the
cloud service are listed.
In addition, the user’s Properties window has the CellWe EMM Mobile tab which lists the
devices enrolled by that user.
These tabs are only added to the device and user Properties when you use Active
Directory group policy for device policy management and you installed the Active Directory
Users and Computers Console Extension when you installed the Samsung SDS CellWe
EMM Cloud Management Suite software. If you do not see these tabs, see “Installing
Samsung SDS CellWe EMM cloud connectors and administrator consoles” on page 208.
Note
Viewing the enrolled device records
When an Active Directory user enrolls a device, the cloud service creates a device record
for it in the organizational unit specified in the Device Enrollment Settings in the policy set
assigned to the user’s role. See “Device Enrollment Settings - Enabling users to enroll
devices” on page 96 to see how you specify the organizational unit.
To view a list of all devices enrolled by a role’s members, open the Active Directory
organizational unit assigned in that role’s policy set. Any devices that have an icon with a
down arrow were but at that moment are not enrolled.
Using the CellWe EMM Mobile tab
To see a device’s mobile properties, double-click the device in Active Directory Users and
Computers and then select the CellWe EMM Mobile tab. The following table describes the
General Information and State fields in this tab. The same information is available in the
device details page in Admin Portal.
Property
Description
General Information
Device type
The device’s model name and number.
OS version
The version number of the operating system in the device
Phone number
If applicable, the phone number of the device.
Serial number
The serial number of the device.
IMEI number
The International Mobile Equipment Identity value for the device
Push Notification Token
Indicates whether a Push Notification Token exists for this
device.
Carrier name
If applicable, the wireless carrier to which the device is
subscribed.
Cloud Manager user’s guide
72

Using Active Directory Users and Computers to manage devices
Property
Description
State
Device State
See “Device status” on page 69
Last seen date
The date and time when the device last contacted the cloud
service.
User name
The Active Directory user account name of the device’s owner.
Customer ID
The customer ID used to enroll the device.
In addition, the CellWe EMM Mobile tab provides vendor-specific information. For
example, the CellWe EMM Mobile tab for an iOS device also displays iOS settings and
carrier and network properties while on Android devices it displays logging settings and
network traffic and carrier network data.
Sending commands to a device
You can use Active Directory Users and Computers to send commands to devices. Rightclick the device listing and select All Tasks to display the commands available. You can
select multiple devices using Shift-click and Ctrl-click. If the commands are dimmed, the
device is unenrolled.
The Samsung cloud service commands available in All Tasks depend upon the type of device
and whether you are using the Samsung cloud service for single sign-on or mobile device
management). See “Using the device management commands” on page 74 for the command
descriptions.
To send Samsung cloud service commands from the device listing:
1 Open Active Directory Users and Computers on the server upon which you installed the
cloud connector or another computer in which installed just the Active Directory/LDAP
and group policy extensions.
2 Select the organizational unit with the mobile device accounts.
The list of devices appears in the right pane.
3 Right-click the device or select multiple devices and right-click.
4 Expand the All Tasks menu to view the commands and click the command.
Managing mobile devices from the user Properties
You can see a list of just the devices enrolled by a specific user by opening the user’s
Properties and selecting the CellWe EMM Mobile tab.
This tab also has buttons for the commands available when you use the Samsung cloud
service for mobile device management. Some devices provide additional commands. Rightclick the device to see the complete set of commands.
Chapter 6 • Managing devices
73

Using the device management commands
Devices with the red circle and “x” are unenrolled. When the device is unenrolled the
commands are dimmed.
To view devices and issue commands from an Active Directory user account:
1 Open Active Directory Users and Computers on the server upon which you installed the
cloud connector or another computer in which installed just the Active Directory and
group policy extensions.
2 Select the container with your mobile users’ accounts
3 Double-click the device owner’s account.
4 Click the CellWe EMM Mobile tab.
The user’s enrolled devices are listed in the window.
5 Click a device or use Shift-click or Ctrl-click to select multiple devices and then right-
click.
The command sets available for the devices selected are displayed in a pop-up window.
6 Click the command.
See “Using the device management commands” on page 74 for the command
descriptions.
Using the device management commands
The following tables list the commands you can send to devices from Admin Portal and
Active Directory Users and Computers. The commands available vary depending upon the
device type, your Device Management permissions (see “Admin Portal administrative
rights” on page 147), and the device’s state (enrolled, unenrolled, unreachable). For
example, there are more commands available for Samsung KNOX devices than other
Android and iOS devices, and the only command available for unenrolled devices is
“Delete.” In addition, if you are using the Samsung cloud service for single sign-on only, the
only commands available are Delete, SSO Enable, and SSO Disable.
You can issue the commands from the device and user properties in Active Directory Users
and Computers when you use Active Directory Group Policy Management for device
policy management (see “Selecting the policy service for device policy management” on
page 201). If you are using Samsung SDS CellWe EMM policy service, you can invoke the
commands from Admin Portal alone.
If you are using Active Directory Group Policy Management for device policy
management, you can also use the Active Directory Disable Account command to unenroll
a device.
Note
Cloud Manager user’s guide
74

Using the device management commands
Users can invoke many of the same commands from the user portal. The Availability
column in the following tables indicates on which devices the commands are available and
where they can be called from.
Device Management
Availability
To do this
Delete
All devices
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Delete the device record from the Samsung
cloud service, Active Directory Users and
Computers, and Samsung SDS CellWe EMM
user service. This removes the device listing
from Admin Portal and the user portal too.
Notes
• If you delete an enrolled device, the device
is unenrolled. The user is prompted to enter
his credentials the next time he opens the
Samsung SDS CellWe EMM client to reenroll the device.
• In Active Directory Users and Computers,
the Delete command is offered separately
from the All Tasks commands.
Fetch Device Log
Samsung KNOX
Workspace and Android
devices only
Admin Portal only
Send the audit log file in the device to an
email address.
Note: Set the Common Mobile Settings >
Enable debug logging policy to get richer
debug information.
You specify the email address when you click
the command. You can also set an option to
send the log file when the device is on Wi-Fi
only.
Fetch Audit Log
Samsung KNOX
Workspace and Android
devices only
Active Directory Users and
Computers only
Send the audit log file from the device to an
email address.
Note: Set the Common Mobile Settings >
Enable debug logging policy to get richer
debug information.
You specify the email address when you click
the command. You can also set an option to
send the log file when the device is on Wi-Fi
only.
Force Password Change
Samsung KNOX
Workspace devices only
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Force user to create a new password. Users are
first prompted to enter their current password.
If this fails, the user cannot create a new
password.
If the device is on, the prompt is displayed as
soon as the command is received. If the device
is off, the prompt is displayed the next time
it’s turned on.
Chapter 6 • Managing devices
75

Using the device management commands
Device Management
Availability
Lock Screen
All devices
Closes the screen. To restore the screen, the
Active Directory Users and user must enter the passcode.
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Device Lockout
Samsung KNOX
Workspace devices only
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
This command is not
available to administrators
with the Device
Management (Limited)
role permission.
Lock Client App
iOS and Android devices Locks the Samsung SDS CellWe EMM client
only
on the device.
Active Directory Users and
Computers, Admin Portal,
and Samsung SDS CellWe
EMM user portal
Reset Client App PIN
iOS and Android devices Resets the passcode for the client application
only
on the device. This command is useful when
Active Directory Users and users forget their passcodes.
Computers, Admin Portal,
and Samsung SDS CellWe
EMM user portal
Ping
All devices
Active Directory Users and
Computers and Admin
Portal only
Power Off Device
Samsung KNOX
Turn off the device.
Workspace devices only
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Cloud Manager user’s guide
To do this
Lock down the device.
This command lets you define a passcode that
must be entered to unlock the device. In
addition, the command lets you specify a
lockout message that is displayed on the
device.
Send a message to the device and update the
device’s “last seen” timestamp.
Use this command to determine if an enrolled
device in the Unreachable state is back in
communication with the cloud service. If the
device acknowledges the message, the cloud
service updates the timestamp used to
determine whether or not the device is still in
use.
Note: After you send the ping command,
refresh the browser page to update the
device’s status.
76

Using the device management commands
Device Management
Availability
To do this
Reapply Policies
All devices
Active Directory Users and
Computers and Admin
Portal only
Install all of the current group policy profiles
(rather than only the updated policies) on the
device.
Note: Group policies are not installed on
devices for users with accounts in Samsung
SDS CellWe EMM user service alone.
Reboot Device
Force the device to reboot.
Samsung KNOX
Workspace devices only
Active Directory Users and
Computers only
Reset Password
All devices
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Force user to create a new passcode. This
command just prompts the user to create a
new password. (Use Force password change if
you want to authenticate the user before the
passcode can be changed.)
If the device is on, the prompt is displayed as
soon as the command is received. If the device
is off, the prompt is displayed the next time
it’s turned on.
Note: This command does not undo a lock
command
Unenroll Device
All devices
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
This command is not
available to administrators
with the Device
Management (Limited)
role permission.
Suspend the device from the Samsung cloud
service. This removes all mobile device policy
profiles installed on the device. It does not,
however, remove the Samsung SDS CellWe
EMM client.
To use the Samsung cloud service again, the
user must enroll the device again.
Note: You can set a policy that prevents users
from unenrolling a device. See “Using the
Common Mobile Settings” on page 121.
Update Policies
All devices
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Push the current mobile device policies for
installation on the device. This command
ensures that the device has the latest mobile
device policy settings.
Wipe Device
All devices
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
This command is not
available to administrators
with the Device
Management (Limited)
role permission.
Remove all user data and restore the device to
its shipping default state.
Note: You can set a policy that prevents users
from wiping a device. See “Using the
Common Mobile Settings” on page 121.
•
Chapter 6 • Managing devices
77

Using the device management commands
SSO Management
Availability
To do this
Disable SSO
All devices
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Disable single sign-on for web applications
listed in the Samsung SDS CellWe EMM
client and, on KNOX devices, in Samsung
SDS CellWe EMM WebApps and the mobile
applications that use the Samsung KNOX
SSO service.
You would use this command, for example, if
the device is misplaced or stolen.
After this command is sent, an error message
is displayed when the user opens the
application indicating that SSO is disabled.
The user cannot open any application on the
selected device that uses SSO until the Enable
SSO command is sent.
Enable SSO
All devices
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Enable single sign-on for the web applications
listed in the Samsung SDS CellWe EMM
client and, for KNOX devices, in Samsung
SDS CellWe EMM WebApps, andthe mobile
applications that use the Samsung KNOX
SSO service.
By default SSO is enabled. This command is
provided so you can enable single sign-on
again for a device that previously had it
disabled.
Call Log Management
Availability
To do this
Reset Call Counts
Samsung KNOX
Reset the call counts.
Workspace devices only
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Reset Data Usage Count
Samsung KNOX
Reset the count of cellular data network bytes
Workspace devices only
received and sent.
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Cloud Manager user’s guide
78

Using the device management commands
Container Management
Availability
To do this
Create Container
Samsung KNOX
Workspace devices only
Active Directory Users and
Computer and Admin
Portal
(not available from the
Samsung SDS CellWe
EMM user portal)
Enable the user to create a Samsung KNOX
enterprise container after enrolling the device.
When you use this command, the Samsung
SDS CellWe EMM client adds the Create
KNOX container option to the Setup screen.
Disable Container
Samsung KNOX
Workspace devices only
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Lock the KNOX enterprise container.
Users cannot open the container until an
Enable Container command is sent to the
device.
Enable Container
Samsung KNOX
Workspace devices only
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Unlock the KNOX enterprise container.
If the device is locked using the Disable
container command, the user cannot open it
until this command is sent to the device.
Re-Authenticate SSO
Samsung KNOX
Workspace devices only
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
Force the user to enter his credentials the next
time he logs in to an application configured
for single sign-on.
Normally, the user does not need to log in to
any applications configured for single sign-on.
After you issue this command, they next time
the user opens any mobile application
installed in the Samsung KNOX container that
uses the single sign-on interface she is
prompted to enter her credentials. The user is
prompted just once.
Chapter 6 • Managing devices
79

Working with Samsung KNOX devices
Container Management
Availability
Remove Container
Samsung KNOX
Remove the KNOX enterprise container.
Workspace devices only
This command does not remove a KNOX
Active Directory Users and personal container.
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
This command is not
available to administrators
with the Device
Management (Limited)
role permission.
Reset Container Password Samsung KNOX
Workspace devices only
Active Directory Users and
Computers, Admin Portal,
and the Samsung SDS
CellWe EMM user portal
To do this
Force the user to create a new password for
the enterprise container. If the user is inside
the container when the command is sent, the
user is prompted to change the password the
next time he tries to re-enter.
Working with Samsung KNOX devices
Samsung KNOX devices are similar to other Android devices in several ways; for example,
users install the same Samsung SDS CellWe EMM client and can send the same device
commands to update policies, reset the password, etc. However, if you are using the
Samsung cloud service for mobile device management, you have many more commands you
can send to the KNOX Workspace devices, and there are many more mobile device policies
you can set. The commands are described earlier in this chapter (see “Using the device
management commands” on page 74). The mobile policies are introduced in “Using the
Samsung KNOX Device Settings” on page 124 and “Using the Samsung KNOX Workspace
Settings” on page 127.
In addition, users with Samsung Workspace devices can create a Samsung KNOX mode
container. A KNOX mode container is a password-protected area in which users can
manage, maintain and protect information separate from the applications and files on the
device. You can also purchase licenses to deploy mobile and web applications that are
available to the user from the container only.
This section describes working with Samsung KNOX devices and containers when you are
using the Samsung cloud service for mobile device management. If you are using another
service for mobile device management, these topics do not apply to you, and you can skip
to “Using KNOX Workspace devices in a single sign-on configuration” on page 88.
This section contains the following topics:

“KNOX Workspace device properties” on page 81

“Enterprise versus personal KNOX containers” on page 82

“Enabling the device to allow users to create an enterprise container” on page 83
Cloud Manager user’s guide
80

Working with Samsung KNOX devices

“Determining the KNOX container version” on page 84

“Deploying a system wide VPN client to KNOX Workspace devices” on page 85

“Working with UMC supported KNOX devices” on page 86

“Moving files and data between the container and device” on page 86

“Enabling enterprise billing” on page 87

“Adding mobile applications that use SSO to the Application SSO whitelist” on page 87

“Using KNOX Workspace devices in a single sign-on configuration” on page 88
KNOX Workspace device properties
If you are managing Samsung KNOX Workspace devices, the device details screen adds the
following fields under Operating System Settings which can be useful for device
management:
Operating System Setting
Indicates this setting
Audit log
Indicates if the audit log is enabled or disabled.
The device can record an audit log of user activities that you can fetch
in Admin Portal (see “Using the device management commands” on
page 74)
To enable the audit log, set the Samsung KNOX Workspace Settings >
Device Settings > Enable audit log policy in either Active Directory
or the Samsung SDS CellWe EMM policy service.
KNOX Attestation State
Indicates if software attestation is enabled.
Attestation state indicates whether the devices’s boot loader, kernel,
and system software have been modified. Attestation is confirmed
when the user enrolls the device and periodically after that by the
MDM provider.
By default, this policy is not enabled. To enable attestation, set the
Samsung KNOX Workspace Settings > Require attestation
verification policy in either Active Directory or the Samsung SDS
CellWe EMM policy service.
KNOX Container
Indicates the status of the KNOX container as follows:
• Active: The user has created a KNOX enterprise container, and the
Samsung cloud service is the mobile device management provider
• Creation in progress: A KNOX container is being created on the
device.
• Does not exist: A KNOX enterprise container has not been created
on the device.
• Lock: The KNOX enterprise container has been locked.
• Removal in progress: The KNOX container is being removed from
the device.
• Unmanaged: There is a KNOX container on the device, however, it
is a personal container or an enterprise container managed by
another mobile device management provider.
Chapter 6 • Managing devices
81

Working with Samsung KNOX devices
Operating System Setting
Indicates this setting
KNOX Device SDK Version
Indicates the device’s MDM software version. The MDM version
determines which mobile device policies are available to you in the
Active Directory Group Policy Management Editor and Samsung
SDS CellWe EMM policy service.
KNOX Workspace SDK
version
Indicates the device’s KNOX container version. This affects several
aspects of container usage. See “Determining the KNOX container
version” on page 84 for the details.
Last Successful KNOX
Attestation Check
Indicates the last time attestation was performed to confirm that the
devices’s boot loader, kernel, and system software have not been
modified.
Note: This setting is displayed only when the “Require attestation
verification” Samsung KNOX Workspace policy is set.
Log SMS
Indicates if short message service logging is enabled or disabled.
By default, SMS logging is disabled. To enable this SMS logging, set
the
Samsung KNOX Device Settings > Device Inventory Settings >
Enable logging of SMS policy in either Active Directory or the
Samsung SDS CellWe EMM policy service.
Enterprise versus personal KNOX containers
All Samsung KNOX Workspace devices allow users to create a KNOX enterprise container
when the licenses have been procured and you have enabled the device to allow the user to
create a container. Some KNOX Workspace devices let users create a personal container. A
personal container provides many of the same features as the enterprise container—that is,
the personal container is also a password-protected, private workspace with its own set of
applications and file folders. You do not need to set a policy to enable users to create a
personal container.
Devices can have only one container—either a personal or an enterprise container—on a
device. If the user creates a personal container and then creates an enterprise container, the
personal container and all of its files are deleted and the mobile applications in the container
are uninstalled.
When you use the Samsung cloud service for mobile device management, the Samsung SDS
CellWe EMM client automatically installs Samsung SDS CellWe EMM WebApps in an
enterprise container. However, users with personal containers must download and install
the application themselves. The instructions are provided in the user portal online help.
When they do, Samsung SDS CellWe EMM WebApps lists all of the web applications you
assign in Admin Portal and provides single sign-on to those applications.
There are several operational differences that distinguish personal from enterprise
containers:

Single sign-on to Samsung SDS CellWe EMM WebApps is not supported when it is
installed in the personal container. Users must enter their credentials every time they
Cloud Manager user’s guide
82

Working with Samsung KNOX devices
open Samsung SDS CellWe EMM WebApps. (However, they are not prompted to enter
their credentials when they open the web applications.)

If users with personal KNOX containers don't install the Samsung SDS CellWe EMM
client on their devices, the devices do not appear in the Devices screen in Admin Portal
and do not appear in users' Devices screen in the Samsung SDS CellWe EMM user
portal.
After the user creates an enterprise container, the mobile device policies are installed,
Samsung SDS CellWe EMM WebApps is installed, and the KNOX SSO service is updated
and enabled. This takes a minute or two to complete. Users can then open Samsung SDS
CellWe EMM WebApps to launch the web applications you assign to them. If you deployed
any mobile applications for automatic installation, they are installed on the device right after
the device is enrolled too.
Notes


When you set the “Enable KNOX container” policy, the Samsung SDS CellWe EMM
client does not include the Web Apps screen on KNOX 2 devices. However, on KNOX
1 devices, the Samsung SDS CellWe EMM client contains the Web Apps screen until the
user runs the “Enable Samsung KNOX Workspace mode” command.
On Verizon devices only, the Chrome browser is automatically installed in the container.
To prevent Chrome from being installed use the Samsung KNOX Workspace Settings
> Application Management > Applications that can be installed policy.
Enabling the device to allow users to create an enterprise
container
Users cannot create a KNOX enterprise container until you set the “Enable KNOX
container” policy (see“Using the Samsung KNOX Workspace Settings” on page 127) in a
Samsung SDS CellWe EMM policy service policy set or Active Directory group policy
object.
On KNOX version 1 devices, this results in two commands being added to the SETUP
REQUIRED screen in the Samsung SDS CellWe EMM client:

Enable Samsung KNOX Workspace mode: This command confirms that you have a
sufficient license key to create a container and activates one of your licenses.

Create KNOX container: This command launches the container creation procedure.
On KNOX version 2 devices, the license validation and activation is done transparently and
the container creation process is launched immediately at the end of device enrollment
when you set this policy.
The instructions for creating the KNOX container are in the user portal.
Chapter 6 • Managing devices
83

Working with Samsung KNOX devices
To enable a user to create a KNOX enterprise container by using the Samsung SDS CellWe
EMM policy service:
1 Open Admin Portal and select the policy set applied to the users’ role.
2 Expand Policies, Mobile, and Samsung KNOX Workspace Settings.
3 Click Enable KNOX container and then use the drop-down list to select Yes.
4 Click Save.
To enable a user to create a KNOX enterprise container by using the Group Policy
Management Editor:
1 Open the Group Policy Management Editor and select the group policy object you have
linked to the Active Directory container with the Samsung KNOX devices.
2 Expand Samsung SDS CellWe EMM Cloud Management Settings and select
Samsung KNOX Workspace Settings.
3 Double-click Enable KNOX container.
4 Select Policy enabled and click OK. (The policy is set “True” by default.)
Determining the KNOX container version
There are two versions of Samsung KNOX Workspace devices extant in the marketplace.
There are differences in some device behaviors and user procedures for devices that have a
KNOX version 1 versus a version 2 container. In addition, some policies are only available
on KNOX version 2 containers (for example, moving files between personal space and the
container.) The KNOX container version number depends upon the KNOX Workspace
SDK version installed in the device.
The following procedure describes how you determine the KNOX container version from
the KNOX Workspace SDK version. The device must be enrolled to perform this
procedure.
To determine the device’s KNOX container version:
1 Open Admin Portal and click the Devices tab.
2 Click the KNOX Workspace device and then click Details.
3 Scroll down through the Operating System Settings to KNOX Workspace SDK
Version.
Cloud Manager user’s guide
84

Working with Samsung KNOX devices
The field value indicates the KNOX container version number as follows:
Entry
KNOX Container version number
KNOX_ENTERPRISE_SDK_VERSIO
N_1_x_x
1
KNOX_ENTERPRISE_SDK_VERSIO
N_2_x
2
Note
Users can perform a similar procedure from the user portal.
Deploying a system wide VPN client to KNOX Workspace devices
If you are configuring a system wide VPN client policy (that is, a VPN client that will be
used from both the device and the container), you should deploy the VPN client binary
from Admin Portal.
You can deploy the binary from Google Play. Alternatively, if you have the binary, use the
Android InHouse template to deploy the client. You deploy the VPN client in the same
manner you would deploy any mobile application from Google Play to Android devices. See
“Adding and deploying mobile applications using Admin Portal” on page 54 for the details.
For KNOX version 2 devices, the Samsung SDS CellWe EMM client automatically installs
the VPN client on the device and in the container. On KNOX version 1 containers, the
VPN client is only installed on the device. You do not need to install it in the container.
The the following VPN clients packages are currently supported:
VPN client
vendor
Client software
Jupiter
Junos Pulse (do not use the Junos Pulse for Samsung version)
You can get this client from Google Play.
F5
F5 BIG-IP Edge Client
You can get this client from Google Play.
Mocana
This VPN client is only available from the Samsung KNOX web site and
you must have an account to download it. Go to https://
www.samsungknox.com, log in to your account, click Download KNOX
VPN Client, and follow the instructions to download the binary file.
Then, open Admin Portal and open the Apps page. Click Add Mobile
Apps, click the Add Custom App tab, and click the Add button for
Android InHouse to upload the binary. See “Adding and deploying mobile
applications using Admin Portal” on page 54 for more details.
Notes
If you are using the Jupiter Junos Pulse client, the user must accept the end user license
agreement (EULA) before the VPN profile can be configured. Users gets an outstanding
Chapter 6 • Managing devices
85

Working with Samsung KNOX devices
item in the Setup item in the Samsung SDS CellWe EMM client screen menu and an error
message when they open the VPN profile in the SETUP REQUIRED screen.
To complete the configuration, users exit the Samsung SDS CellWe EMM client
application, open the Junos Pulse application on the device, and accept the EULA. Users
can then close the Junos Pulse application, open the Samsung SDS CellWe EMM client,
open the Setup screen and tap the Junos Pulse client to complete the installation.
On KNOX version 2 containers, if you are configuring the VPN for system-wide use—that
is, the same VPN is used for all applications—the user must accept the EULA for the Junos
Pulse client installed on the device and in the container. If you are configuring the VPN
client for per-app use, the user needs to accept the EULA in the Junos Pulse client installed
on the device only.
The Junos Pulse configuration instructions are provided in the user portal help in the section
that describes creating a KNOX container.
Working with UMC supported KNOX devices
Some Samsung KNOX devices are equipped with the Universal Mobile Device
Management Client (UMC). Users with UMC supported devices can simply enter their
Samsung cloud service user name and password to install the Samsung SDS CellWe EMM
client on their device and enroll it to the cloud service. These users do not need to get the
Samsung SDS CellWe EMM client from Google Play and install it manually.
When the user opens the UMC, the software contacts the Samsung Enterprise Gateway, a
different cloud-based service containing records of which account login suffixes are
associated with which mobile device management cloud services. The Samsung Enterprise
Gateway receives the enrollment request from the UMC, parses the account name in the
request to extract the login suffix, and uses that to contact the MDM provider that has
previously registered that login suffix in the gateway. The MDM provider then installs its
client software in the device.
To automate installation of the Samsung SDS CellWe EMM client using UMC, however, you
must enable the policy that automatically updates the Samsung Enterprise Gateway every
time you make a login suffix change. See “Enabling Samsung KNOX UMC login suffix
updates” on page 206 for the details.
Moving files and data between the container and device
You can set policies that control whether users can move files between the device and the
container. In addition, you can set a policy that synchronizes the data in applications with
instances installed inside and outside of the container.
Note
These policies are only available for KNOX version 2 containers.
See “Restriction Settings.” on page 253 for the policies that let you control whether users
can move data out of or into the container. The user opens the My Files app in the device or
Cloud Manager user’s guide
86

Working with Samsung KNOX devices
container to select and the move the files. Users cannot copy the files, they can only move
them.
See “Application Management” on page 249 for the policy that synchronizes the data. You
use the policy to specify the application and the direction of the data (to or from the
container and the device). You can specify multiple applications.
Enabling enterprise billing
Enterprise billing allows separate bill generation for personal and enterprise data usage. You
enable it using the Enable Enterprise Billing (if you are using Active Directory/LDAP group
policy for device policy management) or the Enterprise Billing (if you are using the
Samsung SDS CellWe EMM policy service) in the Samsung KNOX Workspace Settings.
Note
This feature is only available for devices that have KNOX 2.1.
You would enable this policy for employees who bring their own devices to work. The
policy lets you to have two different Access Point Names (APNs) that separates data usage
over mobile internet (2G/3G/4G) connections. The default APN is used for routing
personal data connections and the second, enterprise APN is used for the following:

All data traffic from a KNOX container

All data traffic from the Samsung SDS CellWe EMM client
Before you can use this policy you need to work with your mobile network operator for the
following:

The mobile network operator must create a separate, enterprise APN for you. This is
the APN that will be used for enterprise data. You specify this APN in the policy.

The mobile operator must record the transactions over the enterprise APN separately so
that enterprise data can be billed separately.
When you configure the policy, you also need to enter the mobile country code and the
mobile network code.
Adding mobile applications that use SSO to the Application SSO
whitelist
The KNOX container has a KNOX SSO Service which provides single sign-on for mobile
applications installed in the container. All applications that you deploy or users install in the
KNOX container that use the KNOX SSO Service must be added to the device’s
Application SSO whitelist before the user can open the application. In addition, the device
must have a valid Samsung KNOX SSO license.
You add an application to the device’s SSO whitelist by adding the application’s package
name to the Application SSO whitelist policy in the group policy object or policy set.
Chapter 6 • Managing devices
87

Working with Samsung KNOX devices
Samsung SDS CellWe EMM WebApps uses the Samsung KNOX SSO Service.
However, it is automatically added to the device’s Application SSO whitelist when the user
creates the KNOX container using the Samsung SDS CellWe EMM client. (It will not be
listed in the Application SSO whitelist policy.)
Note
The following procedures describe how to add applications to the Application SSO whitelist
policy using the Samsung SDS CellWe EMM policy service and the Group Policy
Management Editor.
To add a mobile Android app to the Application SSO whitelist using the Samsung SDS
CellWe EMM policy service:
1 Open Admin Portal and select the policy set.
2 Expand Policies, Mobile, Samsung KNOX Settings, and Container Settings.
3 Click Applications Settings and click the Application SSO Whitelist Add button.
4 Enter the application’s package name.
Note
The package name is not the application name.
5 Click Save.
To add a mobile Android app to the Application SSO whitelist using the Group Policy
Management Editor:
1 Open the Group Policy Management Editor and select the group policy object you have
linked to the organization unit with the Samsung KNOX devices.
2 Click Samsung SDS CellWe EMM Cloud Management Settings > Samsung
KNOX Workspace Settings > Container Settings > Application
Management.
3 Double-click Application SSO whitelist.
4 Click Policy enabled and the Add button.
5 Enter the application’s package name and click OK.
Note
The package name is not the application name.
6 Click OK to exit the dialog box.
Using KNOX Workspace devices in a single sign-on configuration
If you are not using the Samsung cloud service for mobile device management, you can still
use it for single sign-on to web applications. (See “Configuring mobile device management
or single sign-on only” on page 205 to select the Samsung cloud service for mobile device
management or opt out.) When you do not use the Samsung cloud service for mobile
device management, users install the Samsung SDS CellWe EMM client on the device to
Cloud Manager user’s guide
88

Working with Samsung KNOX devices
enroll just their account in the Samsung cloud service. This provides single sign-on to the
web applications you assign to them in Admin Portal. However, the cloud service does not
enroll the device in the cloud service.
If your users are creating KNOX mode containers, they can also install Samsung SDS
CellWe EMM WebApps in the container to launch the web applications you assign to them
from inside the container. However, in this case Samsung SDS CellWe EMM WebApps is
not automatically installed in the container. Instead, you use the mobile device management
provider’s procedures to configure the container. There are two parts to the configuration:

Installing the application

Enabling single sign-on
Deploying Samsung SDS CellWe EMM WebApps
You will need to work with your mobile device management provider to deploy the
Samsung SDS CellWe EMM WebApps mobile application to the users and install it in the
container.
Use the following URLs to download the Samsung SDS CellWe EMM WebApps binary apk
file. There are two version: one for KNOX version 1 containers (this version is wrapped)
and one for KNOX version 2 containers (this version is not wrapped).
In all of the following URLs, you replace vv.r-bbb with the file’s version, revision and
build number. Contact Support to get the correct numbers for your account.
Note

Sample URL for KNOX version 1 containers:
http://global-apps.s3.amazonaws.com/emm.samsungknox.com/knox1/
sec_container_1.Knox1MyWebApps.apk

Sample URL for KNOX version 2 containers:
http://global-apps.s3.amazonaws.com/emm.samsungknox.com/knox2/
MyWebApps.apk
Enabling single sign-on in a KNOX mode container
There are two aspects to enabling single sign-on in a KNOX mode container:

Turn on the KNOX SSO Service.
On Samsung Workspace devices, single sign-on in a KNOX mode container is provided
through the KNOX SSO Service. When you use the Samsung cloud service for mobile
device management, the KNOX SSO Service is installed and enabled automatically.
When you have another mobile device management provider, it is their responsibility to
either enable the pre-loaded SSO service or install and enable a replacement.

Specify the applications that can use the KNOX SSO Service.
Samsung KNOX Workspace devices restrict access to the KNOX SSO Service to mobile
applications that have been listed on a SSO whitelist in the device. When you are using
Chapter 6 • Managing devices
89

Working with Samsung KNOX devices
the Samsung SDS CellWe EMM policy service to manage devices, for example, you use
the Application SSO whitelist policy to specify the applications. However, how you add
applications to the device’s SSO whitelist will vary with each mobile device management
provider.
You must add Samsung SDS CellWe EMM WebApps to the SSO whitelist to provide
single sign-on to the web applications. In many cases, to add the application you are
required to provide its package name. If your mobile device management provider
requires you to specify the package name for Samsung SDS CellWe EMM WebApps use
the following: com.samsungemm.sso.myapps.
Cloud Manager user’s guide
90
Chapter 7
Managing policies
You use the Policies tab in Admin Portal to create policy sets for roles. A policy set lets you
configure the following categories of policies:

Mobile Device Policies
Use to set device management settings (for example, time periods for device information
updates and unresponsive devices) and device enrollment settings (for example, whether
users can enroll devices, the number of devices they can enroll, and the types of devices
they can enroll).
The Mobile Device Policies are only available if you use the Samsung cloud service for
mobile device management. (See “Configuring mobile device management or single signon only” on page 205.) If you are using the cloud service for single sign-on only, the
Mobile Device Policies are not included.
If you are using Samsung cloud service for device policy management (see “Selecting the
policy service for device policy management” on page 201), the set of Mobile Device
Policies also includes configuration policies for Android, Samsung, and iOS devices.
If you have selected Active Directory group policy for device policy management rather
than the Samsung SDS CellWe EMM policy service, then you use Active Directory
Group Management Editor to configure the device policies.

Account Security Policies:
You can use account security policies to set and configure policies for multifactor
authentication, password reset controls, and the password requirements for Samsung
SDS CellWe EMM user service accounts.

Application Policies
You can use the application policy to prevent users from adding web applications from
their user portal. (By default, users can add web applications on their portal.)
Information relevant to this topic:

“Using policy sets” on page 92

“Device Management Settings - Monitoring enrolled devices” on page 95

“Device Enrollment Settings - Enabling users to enroll devices” on page 96

“Authentication - Setting authentication policy controls” on page 98

“Password Reset - Setting forgotten password reset policies” on page 109

“Password Settings - Setting password controls” on page 112
91

Using policy sets

“Application policies - Preventing users from adding applications” on page 114

“Managing device configuration policies” on page 114

“Mobile device configuration policies overview” on page 119
Using policy sets
You use a policy set to configure the device management settings, device enrollment
settings, settings, account security policies (authentication, password reset, and password)
and application policies for a set of users. You apply the policy set to one or more roles to
apply the policy set to users.
Policy sets can also be used to define device configuration policies. It depends whether you
select upon which tool you select the Samsung SDS CellWe EMM policy service or Active
Directory group policy for device policy management. See “Selecting the policy service for
device policy management” on page 201 for the details.

If you select the Samsung SDS CellWe EMM policy service for device policy
management, you also use policy sets to enable and disable device configuration policies.

If you select Active Directory group policy for device policy management, you use
group policy objects to enable and disable device configuration policies.
When you select Active Directory group policy, you use roles to apply the policies to sets
of users, however, the implementation is different. In this case, you link the group policy
object to an Active Directory organizational unit and then specify that organizational unit
in the device enrollment settings—see
In both cases, the policy settings are installed initially when the user enrolls the device.
They are updated automatically according to the policy push delay or update interval you set
(See “Selecting the policy service for device policy management” on page 201 for the
details.) You can also update the policies in real time—see “Updating device configuration
policy changes” on page 94 for the details.
You can set up hierarchical policy sets so that, for example, a base policy set can be applied
to all users and then other policy sets can be applied to smaller sets of users (for example,
the sales and support departments). This lets you to supersede policies set in the base policy
set. See “Using hierarchical policy sets” on page 93 for the details.
You can see the current setting for the policies you have set by clicking Summary. Click
the link to open the category if you want to make changes.
Creating a policy set and assigning it to a role
There are no default policy sets. To create a policy set you click the Add Policy Set button
on the Policies page. You can apply a policy set to all users with accounts in the cloud
service or apply it to users in specific roles only. You can also set a policy set to inactive.
Cloud Manager user’s guide
92

Using policy sets
The policy set goes into effect when the user logs in to the user portal. If you are using the
cloud service for mobile device management, the device configuration policies are installed
when the user enrolls the device.
You edit an existing policy set by clicking it on the Policies page—see“Editing a policy set”
on page 94.
To create a policy set and apply it to one or more roles:
1 Open Admin Portal, click Policies, and click Add Policy Set.
2 Enter a name for the policy set.
You can use uppercase and lowercase characters, spaces, numbers, and most special
characters (you cannot, for example, use the forward and backward slash). The Name
text box outline turns red if you enter an illegal character.
3 Enter the Description you want to appear on the Admin Portal Policy page.
4 Specify the scope of the policy set.
Click one of the options to apply the policy to all users, apply the policy set to specific
roles only, or set the policy to inactive.
If you select “Apply policy to specified roles,” select the roles.
Setting the device management, device enrollment, account security, and application
policies is described in the topics that follow. See “Managing device configuration
policies” on page 114 to learn about using the device configuration settings.
5 Click Save.
Using hierarchical policy sets
You can apply multiple policy sets to the same role. For example, you might create a global
policy set to set basic policies for all users and then create more policy sets to augment or
change the policies set in the global policy set for each role. You would assign the global
policy set to all roles and then add the role-specific policy set to the role.
The Samsung cloud service reads the policy sets from bottom to top on the Policy page
when it installs the policies in a device. If the same policy has different settings in different
policy sets, the setting in the last policy set read—the top-most—is applied.
For example, consider a role that has two policy sets—Global and Sales—which are
organized on the Policies page with Global at the bottom and Sales above it. In the Global
policy, the “Enable authentication policy controls” policy is not set (see “Authentication Setting authentication policy controls” on page 98 for a description of this policy).
However, in the Sales policy set this policy is set to “Yes.” This means that when members of
the Sales role log in to the user portal, the authentication controls are enforced.
Chapter 7 • Managing policies
93

Using policy sets
The same bottom-to-top process is applied to mobile device policies. For example, if you
have the “Permit camera use” policy (see “Using the Common Mobile Settings” on page
121) set to “No” in the Global policy set but in the Sales policy set it is set to “Yes,” members
of the Sales role can use the device’s camera.
See “Managing device configuration policies” on page 114 for more information on
using mobile device policies in hierarchical policy sets.
Note
For users in multiple roles, the cloud service first determines which policy sets apply to the
user and then reads those policy sets from bottom to top to apply the policies. The
hierarchical order of the roles has no effect upon the order in which the policy sets are read.
If you want one policy set’s settings to be enforced over another’s, move that policy set up
in the list.
To have one policy set supersede another:
1 Open Admin Portal and click Policies.
2 Right-click the policy set with the policies settings you want to apply and click Move
Up.
You can also click and drag the policy up and down in the list.
3 Repeat until the policy set is where you want it.
Editing a policy set
To change policies in a policy set, you click the policy set listing in the Policies page and
click the policy to make the change. You can see the current setting for the policies you have
set previously by clicking Summary. (Summary does not show the default value for
policies you have not modified.)
Changes to device management and enrollment settings, account security policies, and
applications policies are implemented immediately. Changes to the device configuration
policies are deployed to the devices according to the policy push delay (for the Samsung SDS
CellWe EMM policy service) or update interval (for Active Directory group policy) you set
in Device Policy Management on the Settings page (see “Selecting the policy service for
device policy management” on page 201). You can also push an update to the devices—see
“Updating device configuration policy changes” on page 94).
Updating device configuration policy changes
After you change a device configuration policy, the cloud service automatically updates the
devices according to the policy push delay or update interval you set in Device Policy
Management on the Settings page in Admin Portal (see “Selecting the policy service for
device policy management” on page 201).
Cloud Manager user’s guide
94

Device Management Settings - Monitoring enrolled devices
If you are using Active Directory Group Policy Management to define policies, you update
user with policy changes using Active Directory Users and Computers.
To update all devices when you use the Samsung SDS CellWe EMM policy service:
1 In Admin Portal, click the Policy tab.
2 Click Push Policy.
3 Click Yes in the pop up window.
To push policy set changes to individual devices:
1 In Admin Portal, click the Devices tab.
2 Right click the device listing.
You can also click the device listing and open the details.
3 Click Update Policies.
If you opened the device’s details page, click Actions and select Update Policies.
To push a group policy object changes to individual devices:
1 Open Active Director Users and Computers
2 Open the organizational unit with the devices.
3 Select the devices.
4 Right-click and expand All Tasks and then Device Management.
5 Click Update Policies.
Device Management Settings - Monitoring enrolled devices
Use these policies to set two parameters for monitoring devices enrolled in the cloud:

The device polling frequency, in hours (the default is 12 hours).

The “unreachable” device threshold (the default is 14 days)
Using device polling
The cloud service pings the device according to the frequency you set in the “Update device
information frequency” setting. If the device does not respond, it pings it again after 90
minutes. Each ping requests the current information on device properties, installed
applications, and installed mobile device policies. The cloud service uses this information to
update the device’s properties displayed in Admin Portal and the Samsung SDS CellWe
EMM user portal.
Chapter 7 • Managing policies
95

Device Enrollment Settings - Enabling users to enroll devices
Use the drop-down list to increase or decrease the polling frequency. The only consequence
upon the device of more frequent polling is a minimal increase in battery use.
Setting the “unreachable” threshold
A device is designated “unreachable” if the cloud service does not get a ping response or the
user doesn’t open the Samsung SDS CellWe EMM client on the device during the period
you set in the “Mark unresponsive devices as ‘Unreachable’ threshold” setting.
Use the drop-down list to increase or decrease the period.
The device remains enrolled after the status is changed to ‘Unreachable.” If the device
responds to a ping or the user opens the Samsung SDS CellWe EMM client, the status is
changed back to enrolled.
Note
Device Enrollment Settings - Enabling users to enroll
devices
To enroll devices, users must be members of a role in which the Permit device enrollment
policy in the Device Enrollment Settings is set to Yes. The Device Enrollment settings also
let you create rules to control the types and quantity of devices they can enroll. These
settings apply regardless of whether you use the Samsung SDS CellWe EMM policy service
or Active Directory group policies to manage device configuration policies.
These settings replace the “Enroll devices” permission in the administrative rights for
roles and the “Allow jailbroken/rooted devices” policy in Common Mobile Settings >
Restrictions Settings in previous releases of the Samsung SDS CellWe EMM User Suite.
Note
See “Supported devices” on page 11 for the Android and iOS versions supported. Users
whose devices do not meet this standard cannot enroll devices.
You use the following fields to create rules to control the types and quantity of devices users
can enroll:
Device enrollment control
settings
Enforces these limitations
Max number of devices a user
can enroll
Limit the number of devices a user can enroll.
Change the value to reset the number higher or lower.
Permit jailbroken devices to
enroll
Prevents jailbroken devices from enrolling.
To enable users to enroll a jailbroken device, select Yes in the dropdown menu.
Open the tool tip for more information on this policy.
Cloud Manager user’s guide
96

Device Enrollment Settings - Enabling users to enroll devices
Device enrollment control
settings
Enforces these limitations
Permit Android devices
Use the drop-down menu to select All to allow users to enroll any
Android device, Filter to define enrollment rules for Android devices,
None to prevent users from enrolling Android devices, or "--" (Not
configured) to use the default setting. The default is All.
Permit iOS device enrollment
Use the drop-down menu to select All to allow users to enroll any iOS
device, Filter to define enrollment rules for iOS devices, None to
prevent users from enrolling iOS devices, or "--" (Not configured) to
use the default setting. The default is All.
The Samsung cloud service reads the policy sets from bottom to top on the Policy page
when it installs the policies in a device. See “Using hierarchical policy sets” on page 93.
To enable users to enroll devices:
1 Open Admin Portal and click the Policies page.
2 Either create a new policy set or open an existing policy set.
See “Creating a policy set and assigning it to a role” on page 92 for the instructions.
3 Expand Mobile Device Policies.
4 Click Device Enrollment Settings.
5 Select Yes in Permit device enrollment.
6 Click Select to enter the Organizational unit.
You perform this step only if you are using Active Directory group policy to set
device configuration policies. See “Selecting the policy service for device policy
management” on page 201. If you are using Samsung SDS CellWe EMM policy service to
set device configuration policies, you should skip this step.
Note
On the Organizational Unit window:
a Enter the first few characters of the organizational unit linked to the group policy
object you want to use for this policy set and click the search icon.
b Select the organizational unit and click OK.
The organizational unit you select is also the organizational unit in which the device
record is stored when the user enrolls the device. If the user’s role has multiple policy
sets, the device record is stored in the organizational unit specified in the highest policy
set (see “Using hierarchical policy sets” on page 93).
See “Configuring group policy objects and organizational units” on page 204 to develop
your configuration of organizational units and group policy objects.
7 Specify the maximum number of devices users can enroll.
Chapter 7 • Managing policies
97

Authentication - Setting authentication policy controls
8 Use drop-down menu to permit users to or prevent them from enrolling jailbroken
devices.
9 Set rules to control the enrollment of Andriod and iOS devices.
You can select All, None, or a Filter for each. If you select Filter, click Add Rule to
specify a filter, condition, and value for each rule. Click Add to save each rule.
Repeat for each rule and then each device.
10 Click Save to close the policy set editing session.
11 Assign the policy set to a role—see “Creating a policy set and assigning it to a role” on
page 92.
12 Add users to the role—see “Adding and removing users and groups to and from roles” on
page 144.
Authentication - Setting authentication policy controls
You use the Authentication policy in Account Security Policies to enable and disable
authentication policy controls, configure the conditions that require controls, and select the
authentication methods available to users.
By default, the Samsung cloud service requires multifactor authentication for users to log in
to Admin Portal and the user portal. That is, when users log in they are prompted to enter
their user name, password, and another method of authentication to login in.
You can also apply the controls defined in this policy for authentication when users open
applications in the user portal. You enable this policy on an application-by-application
basis—see “Setting web application access policies” on page 41. The same configuration you
set in this policy also applies to the application access control.
Note You must have a Samsung CellWe EMM IAM+ license key and licenses to use
multifactor authentication.
This section contains the following topics:

“Authentication methods” on page 99

“What you need for each authentication method” on page 100

“Temporarily suspending multifactor authentication” on page 101

“Browser cookies associated with authentication policy controls” on page 101

“How multifactor authentication affects the user” on page 102

“Customizing authentication requirements” on page 103

“Selecting authentication mechanisms” on page 107

“Customizing session length and signed-in options” on page 108
Cloud Manager user’s guide
98

Authentication - Setting authentication policy controls
Authentication methods
The following methods are available:
Authentication method
User response
Mobile Authenticator
Users are prompted in the user portal or application login window to enter a passcode, and the cloud service sends a notification to their primary device. The user opens the notification or, if
the Samsung SDS CellWe EMM client is open, taps the Authentication screen and taps either Approve or Deny allow or prevent
access.
Samsung SDS CellWe EMM Mobile Authenticator uses the
device’s notification service. Notifications are enabled by default
when you install the Samsung SDS CellWe EMM client. If you
do not have notification enabled or the device is not connected
via cell service or wi-fi, the behavior is a different—see “Using
Samsung SDS CellWe EMM Mobile Authenticator” on page 100
for the details.
Phone call
The cloud service calls the mobile phone number in the user’s
Active Directory, LDAP, or user service account and describes an
action the user must perform to complete authentication. The user
completes the action from the device to log in.
Text Message (SMS) confirmation
code
The cloud service sends a SMS message to the user’s mobile
phone with a one-time confirmation code and/or an authentication URL. Depending on the language setting, some languages
display only the confirmation code while others display the confirmation code and URL. To log in, users that are connected to
the cell service can acknowledge the message. Users who are not
connected enter the confirmation into the portal’s login prompt.
Email confirmation code
The cloud service sends an email message with a one-time confirmation code. The user taps the in the email log in.
User-defined Security Question
When you select this method, users are prompted to create a
question and answer. When users log in to a portal or opens the
application, a pop up window is displayed with the question and
prompts the user to enter the answer.
Chapter 7 • Managing policies
99

Authentication - Setting authentication policy controls
What you need for each authentication method
The following table lists the authentication methods and the associated Active Directory,
LDAP, and Samsung SDS CellWe EMM user service account properties that must be set
correctly. If a property is not set correctly, the user may not be able to log in.
Authentication method
Required user
account property
Active Directory/
LDAP
Properties tab
Samsung SDS
CellWe EMM user
service
Profile property
Samsung SDS CellWe
EMM Mobile
Authenticator
Enrolled device
Not applicable
Not applicable
Phone call
Mobile phone number Open the Telephones Set the Mobile
tab and set the Mobile Number field
field
Text message (SMS)
confirmation code
Mobile phone number Open the Telephones Set the Mobile
tab and set the Mobile Number field
field
Email confirmation code
Any valid email
address
Open the General tab Set the Email address
and set the E-mail
field
field
User-defined security
question
NA
NA
NA
Before you enable a specific authentication factor, confirm that each account has current
contact information or a currently enrolled device—and make account changes a day before
you enable the authentication policy for the accounts. If the information needed for a user’s
authentication is not current in the Samsung cloud service, the user will not be able to log in.
If you need to modify a user’s Active Directory or LDAP account, any changes you make are
not immediately updated in the Samsung cloud service. For example, it can take up to 24
hours for changes made in Active Directory Users and Computers to be incorporated into
the cloud service.
By contrast, updates made to Samsung SDS CellWe EMM user service accounts go into
effect immediately.
Users can set their Active Directory or LDAP account’s mobile phone number from
the user portal. When users change their Active Directory or LDAP account’s mobile phone
number using the user portal, the change goes into effect immediately.
Note
Using Samsung SDS CellWe EMM Mobile Authenticator
The Samsung SDS CellWe EMM Mobile Authenticator authentication method uses the
device’s notification service to send a message to the device. To complete the login, the user
can either of the following:
Cloud Manager user’s guide
100



Authentication - Setting authentication policy controls
Open the notifications (for example, on an Android device users drag down from the
Notification bar) to display the notification messages and tap Approve in the notification
from Samsung SDS CellWe EMM Mobile Authenticator.
Open the Samsung SDS CellWe EMM client and tap Approve in the pop up on the
Authentication screen.
The notification is sent to the user’s primary device only. The primary device is the first
device the user enrolls. If the user enrolls additional devices, they can change the primary
device in the user portal—see “What happens when a device is enrolled” on page 67 for the
details.
You do not need to have notification turned on for the Samsung SDS CellWe EMM client to
use Samsung SDS CellWe EMM Mobile Authenticator. If you turn it off, the notification is
still sent to the device, however, the user must open the Samsung SDS CellWe EMM client
to complete the action.
If the device is not connected via cell service or wi-fi, the notification is not sent. However,
users can still log in by entering the code shown on the Authentication screen in the login
prompt.
Temporarily suspending multifactor authentication
If the user’s account information required for multifactor authentication is not set properly
and it prevents the user from logging in, you can use the MFA Unlock command in Admin
Portal to suspend multifactor authentication for 10 minutes—see “User Management
commands” on page 25. The user must still enter the correct user name and password and is
still prompted to enter the additional authentication factor, however, the cloud service does
not validate anything beyond the user name and password. Consequently, the user can, for
example, enter any string of characters to fulfill the SMS confirmation code, and the cloud
service accepts the entry.
To temporarily suspend multifactor authentication for a user:
1 Open Admin Portal and select the Users page.
2 Right-click the account for the user who is locked out.
3 Select MFA Unlock.
The user has 10 minutes to log in.
Browser cookies associated with authentication policy controls
When you enable authentication policy controls, the Samsung cloud service leaves the
following identity cookies in your users’ browsers:
Chapter 7 • Managing policies
101


Authentication - Setting authentication policy controls
After multifactor authentication: The cloud service leaves a cookie in the current
browser after the user has successfully logged in to Admin Portal or the Samsung SDS
CellWe EMM user portal by using a multifactor authentication method.
When the cloud service finds this cookie, it does not prompt the user to provide an
additional authentication method for subsequent logins (the user is still required to enter
a user name and password) unless the policy is set to always require additional
authentication.

After IWA Authentication: The cloud service leaves a cookie in the current browser
when the user has successfully logged in to Admin Portal or the user portal using
Integrated Windows Authentication.
When the cloud service finds this cookie, it ignores the multifactor authentication
requirements and lets a user open a web application from the user portal that is set with
the “Restrict app to clients within the Corporate IP range” policy regardless of their IP
address (see “Removing an application” on page 46).
Users are required to provide multifactor authentication if the cookies are deleted or they
use a different browser to log in.
How multifactor authentication affects the user
When you enable multifactor authentication, users are prompted to enter another
authentication method after they enter their password. The users are prompted in the login
window with a drop-down list of all of the authentication methods you selected in the
authentication policy. The user then selects a method from the list. In this example, the
administrator made available three methods, and the user selected email verification:
The cloud service prompts the user for the additional factor only if the password is correct.
If the user does not enter the right password, the cloud service cancels the login attempt.
If the password has expired, the cloud service prompts the user to create a new password
after she has successfully fulfilled the additional authentication method. See “Password
Settings - Setting password controls” on page 112 to set password age and other password
properties.
Cloud Manager user’s guide
102

Authentication - Setting authentication policy controls
Enabling multifactor authentication
If multifactor authentication is not enabled by default, you enable it in the Policies tab in
Admin Portal. You open a policy set first (see “Creating a policy set and assigning it to a
role” on page 92) and then enable Account Security Policies > Authentication >
Enable authentication policy controls. Next, you define when multifactor
authentication is required and what authentication methods are presented to the user (see
“Customizing authentication requirements” on page 103)
To enable multifactor authentication:
1 Open Admin Portal and click Policy.
2 Click the policy set.
3 Expand Policies and Security, and then click Authentication.
The default setting is Not configured (represented by “--”). The means that users are only
required to enter their user name and password to log in.
4 Click the drop-down menu and click Yes.
Admin Portal displays the options you use to set to configure the authentication policy.
5 Specify when to require multifactor authentication.


Select Always require additional authentication at Sign in to prompt the user
for an additional method every time they log in.
After selecting this option, the custom settings options are dimmed. Skip to “Selecting
authentication mechanisms” on page 107 to complete the configuration.
Select Use custom settings to specify additional authentication
requirements to configure the connection factors that require multifactor
authentication, IWA support, and exceptions.
After selecting this option, continue with “Customizing authentication requirements”
on page 103 and then go to “Selecting authentication mechanisms” on page 107 to
complete the configuration.
Customizing authentication requirements
If you don’t require multifactor authentication every time the user logs in to Admin Portal
or the Samsung SDS CellWe EMM user portal, you use the following options to configure
the requirements:

Connection factors that require additional authentication—see “Setting the connection
factors that require additional authentication” on page 104.


Integrated Windows Authentication—see “Setting Integrated Windows authentication
(IWA)” on page 105.
Exceptions—see “Setting Exceptions” on page 106.
Chapter 7 • Managing policies
103

Authentication - Setting authentication policy controls
You can select connection factors that require additional authentication and Integrated
Windows Authentication separately or together.
Setting the connection factors that require additional authentication
You can require an additional authentication method for one or both of the following
connection factors:

Browsers without identity cookie: The connection factor is the cookie put in the
current browser by the cloud service after the user has successfully logged in using
multifactor authentication.
When there is no cookie, users are prompted to provide an additional authentication
method when they log in to the user portal or Admin Portal. Otherwise, they are
prompted for just their user name and password.
If users delete browser cookies or uses a different browser, the cloud service prompts
them again for an additional authentication method when they log in.
For web applications set to “Require Strong Authentication” (see “Removing an
application” on page 46), the cloud service prompts users for additional authentication
the first time they log in to the application and writes a different cookie after successful
authentication.
Connections outside the corporate IP range: The connection factor is the
computer’s IP address when the user logs in.
Note

Users are prompted for an additional authentication method only when the IP address of
their computer is outside the IP address range specified in the Corporate IP Range
settings in Admin Portal (see “Setting Corporate IP ranges” on page 200).
The cloud service writes a cookie after the user logs in from outside the IP range.
However, the user is still required to provide multifactor authentication. To exempt
users, who have successfully logged in from outside the IP range set Disregard for
browsers with identity cookie.
Note These settings also apply to web applications set to “Restrict app to clients within
the Corporate IP range” (see “Removing an application” on page 46).
To require multifactor authentication the first time the user logs in:
1 Open Admin Portal, click Policies, and select the policy set.
2 Under Policy Settings, expand Account Security Policies, and click
Authentication.
3 Click the drop-down list and click Yes.
4 Select Use custom settings to specify additional authentication
requirements.
5 Select Browsers without identity cookie.
Cloud Manager user’s guide
104

Authentication - Setting authentication policy controls
6 Proceed to “Selecting authentication mechanisms” on page 107 to complete the
configuration.
To require multifactor authentication the first time users log in from outside the corporate IP
range:
1 Open Admin Portal, click Policies, and select the policy set.
2 Under Policy Settings, expand Account Security Policies, and click
Authentication.
3 Click the drop-down list and click Yes.
4 Select Use custom settings to specify additional authentication
requirements.
5 Set Connections outside the corporate IP range.
6 Set Disregard for browsers with identity cookie.
Do not set this option if you require multifactor authentication every time the user
logs in from outside the corporate IP range.
Note
7 Proceed to “Setting Exceptions” on page 106 to continue with the configuration.
Setting Integrated Windows authentication (IWA)
The Samsung cloud service lets you accept an Integrated Windows Authentication
connection as sufficient authentication for users with Active Directory accounts when they
log in to Admin Portal or the Samsung SDS CellWe EMM user portal. (Integrated
Windows Authentication is not available to users with cloud accounts.)
To use Integrated Windows Authentication, users must specify their login suffix in the
portal URL in the following form:

Admin Portal: https://cloud.samsungemm.com/manage?customerID=<loginsuffix>

Samsung SDS CellWe EMM user portal: https://cloud.samsungemm.com/
my?customerID=<loginsuffix>
where <loginsuffix> is the login suffix for their account (see “Using login suffixes” on page
195).
By default, Integrated Windows Authentication is enabled when you install the cloud
connector. You enable the IWA settings by opening the Settings page in Admin Portal and
clicking the Cloud Connector tab. Right-click the cloud connector and click Modify. See
“Configuring cloud connectors” on page 181 to determine the current IWA setting and
configuration.
Integrated Windows Authentication may require additional configuration within some
browsers. See “Configuring browsers for silent authentication” on page 261 to see if your
browser requires additional configuration.
Note
Chapter 7 • Managing policies
105

Authentication - Setting authentication policy controls
When you enable Integrated Windows Authentication, the cloud service writes a cookie in
the current browser after a successful IWA-based login. The Samsung cloud service checks
the browser for this cookie when the user logs in to either portal. As long as the cookie is
there, the user is not prompted for multifactor authentication.
You can also use Integrated Windows Authentication to exempt users from multifactor
authentication when they open web applications that require strong authentication. See
“Removing an application” on page 46 to set strong authentication for web applications. The
user must have the cookie in their browser when they open the application. If this cookie is
not present, the user is prompted for the multifactor authentication mechanisms selected.
To allow Integrated Windows authentication cookie for applications that require strong
authentication:
1 Open Admin Portal, click Policies, and select the policy set.
2 Under Policy Settings, expand Account Security Policies, and click
Authentication.
3 Click the drop-down list and click Yes.
4 Select Use custom settings to specify additional authentication
requirements.
5 Set Set identity cookie for IWA connections.
Use this option to enable Integrated Windows Authentication. If you do not set this
option, the cookie is not written in the browser after a successful IWA-based login.
6 Set Accept IWA connections as strongly authenticated for application
policies.
Use this option to use the Integrated Windows Authentication cookie to exempt users
from multifactor authentication for web applications set to “Require strong
authentication.”
7 Proceed to “Setting Exceptions” on page 106 to continue with the configuration.
Setting Exceptions
The cloud service looks into the user’s Active Directory/LDAP or Samsung SDS CellWe
EMM user service account for the mobile phone number or email address used for
multifactor authentication. Normally, users who have neither mobile phone number nor
email address cannot log in to the user or administrator portals when you enable
authentication policy controls.
Set this option to exempt users from multifactor authentication when their account does
not have a mobile phone number and email address. They must still provide a user name and
password.
Cloud Manager user’s guide
106

Authentication - Setting authentication policy controls
Continue to “Selecting authentication mechanisms” on page 107 to complete policy
configuration.
Selecting authentication mechanisms
You select which multifactor authentication mechanisms are available to users using the
check boxes under “Additional authentication mechanisms.” You can select any number of
these options. If you select more than one, the login prompt lets the user select which one
to use (see “How multifactor authentication affects the user” on page 102).
The mechanisms ultimately offered to the user at the login prompt depend upon the
account’s properties. For example, if you select all of the mechanisms but the account has
just a user name, the login prompt offers just the user-defined security question as an
authentication option. If the user account has just a user name and email address, the login
prompt offers just the user-defined security question and email confirmation code options.

Samsung SDS CellWe EMM Mobile Authenticator
When you select Samsung SDS CellWe EMM Mobile Authenticator users authenticate
using a one-time passcode displayed by the Samsung SDS CellWe EMM client installed
on their mobile device The one-time passcode is valid for five minutes. At the end of this
period, a new passcode is displayed.
If a user’s device is connected either through the cell network or a wi-fi connection, the
user can send the passcode from the device. If the device is not connected, the user must
enter the passcode in the Admin Portal or Samsung SDS CellWe EMM user portal login
prompt.
This option requires users to have the Samsung SDS CellWe EMM client installed
on their device and the device must be enrolled in the Samsung cloud service. How to
install the Samsung SDS CellWe EMM client and enroll a device is described in the
Samsung SDS CellWe EMM user portal help. However, the user cannot use help until
they log in to the user portal. If you decide to use this multifactor authentication
mechanism without giving an alternative option, be sure to provide your mobile users
with instructions for the Samsung SDS CellWe EMM client installation and device
enrollment instructions. For example, you can save a PDF copy of the instructions from
the user portal help and email it to your users.
Phone call
Note

When you select Phone Call authentication, the Samsung cloud service calls the user’s
mobile phone number after the user successfully responds to the user name and password
prompts. When a user answers the call, a recording is played that says that the call is from
the Samsung cloud service and tells the user to perform a specific action—for example,
press the # key. After the user successfully completes the action, the cloud service opens
the web portal or application that the user is trying to open.

Text message (SMS) confirmation code
Chapter 7 • Managing policies
107

Authentication - Setting authentication policy controls
When you select the text message confirmation code, the Samsung cloud service sends a
confirmation code and link via a text message to the user’s mobile phone number and
prompts the user to enter the code at the login prompt.
Users who are connected to the Internet can tap the link in the message. Otherwise, they
must enter the code in the login prompt.
The link and confirmation code are valid for 20 minutes. If a user does not respond within
this time period, the cloud service cancels the login attempt.

Email confirmation code
When you select the email confirmation code, the Samsung cloud service sends a
confirmation code and a link to the user’s email address. Users who are connected to the
Internet can click the link. Otherwise, they need to enter the confirmation code in the
login prompt.
The link and confirmation code are valid for 20 minutes. If a user does not respond within
this time period, the cloud service cancels the login attempt.

User-defined Security Question
When you select this option, it is not added to the list of mechanisms from which the
users can choose until the user creates the question and answer. Users create, or change,
the question and answer from their Account page in the user portal.
When users select this option, the next prompt after they enter their password is a new
window with the question and a text box in which they enter their answer. In addition,
the Account page in the user portal includes a link labeled “Set Security Question” that
lets users set the question and answer.
Customizing session length and signed-in options
You use the Cookie Settings to manage the session length. A session is that period of time
during which the cloud service accepts a previous log in for authentication. For example, if
the session length is 1 hour and the user logs in and then logs out, the cloud service opens
the user portal without requiring users to enter their credentials for one hour. After an
hour, the cloud service displays the login page again.
You also use the Cookies Settings to give users the option to stay logged in, the default
setting for this option, and the maximum hours the user can stay signed in. By default, the
user does not have the option to keep signed in.
To change the default session length:
1 Open Admin Portal and click Policies.
2 Expand Account Security Policies and click Authentication.
Cloud Manager user’s guide
108

Password Reset - Setting forgotten password reset policies
3 If Enable authentication policy controls is not set, use the drop down menu to
select Yes.
4 Scroll down to Cookie Settings and enter the number of hours for the session length
in the text box.
5 Click Save.
To display “Keep me signed in” on the login screen:
1 Open Admin Portal and click Policies.
2 Expand Account Security Policies and click Authentication.
3 If Enable authentication policy controls is not set, use the drop down menu to
select Yes.
4 Scroll down to Cookie Settings and set Allow users to stayed signed in (the box
should be set).
5 Set Default stay signed in option to enabled (the box should be set) to have the
box checked by default in the login screen.
6 Enter the maximum number of hours the user can stay signed in the text box.
7 Click Save.
Password Reset - Setting forgotten password reset policies
You use the Password Reset policies to set controls for the following:

Enable users with Samsung SDS CellWe EMM user service accounts who have forgotten
their password to log in and reset their password.
See “Selecting forgotten password reset verification mechanisms” on page 110.

Enable users with Active Directory accounts who have forgotten their password to log in
and reset their password.
See “Enabling forgotten password reset for Active Directory users” on page 111.

Set password expiration notification time period and other password reset parameters.
See “Setting password reset policy parameters” on page 111.
These policies are provided to help users who have forgotten their password. You can
also set a policy the enables/prevents users from changing their password from the user
portal—see “Enabling users to change their password” on page 113.
Note
To enable password reset policies:
1 Open Admin Portal, click the Policies tab, and select the policy set.
Chapter 7 • Managing policies
109

Password Reset - Setting forgotten password reset policies
2 Under Policy Settings, expand Account Security Policies, and select Password
Reset.
3 Click the drop-down list and select Yes.
4 Limit who can use password reset to users who have already successfully logged in.
Set “Only allow from browsers with identity cookie” to restrict password reset for a
forgotten password to those users who have already logged in successfully. If this box is
not set, anybody can use the password reset options.
The cloud service writes the identity cookie the first time the user logs in
successfully. However, when users clear the history on their browsers, it removes this
cookie.
Note
5 Select the verification mechanisms available to the user to recover from a forgotten
password.
See “Selecting forgotten password reset verification mechanisms” on page 110 for the
description of the options.
6 Optional: Enable users with an Active Directory account who have forgotten their
password to log in and reset their password.
If you do not set this option, the “Forgot your password?” link is not displayed in the login
prompt for users with Active Directory accounts.
See “Enabling forgotten password reset for Active Directory users” on page 111 to set and
configure this option.
7 Set the additional policy parameters.
See “Setting password reset policy parameters” on page 111 for the parameter
descriptions.
8 Click Save.
Selecting forgotten password reset verification mechanisms
When you enable authentication policy controls, the cloud service displays a link labeled
“Forgot your password” on the login page for the user and administrator portals. After
clicking the link, the user is prompted to select a password reset method to use for
authentication and, when authentication is successful, is then prompted to create a new
password.
The password reset methods are the same as the authentication mechanisms available for
multifactor authentication. See “Selecting authentication mechanisms” on page 107 for the
descriptions. The same caveats governing their display in the login prompt apply too. For
example, if you select all of the mechanisms but the user has just an email account, the only
Cloud Manager user’s guide
110

Password Reset - Setting forgotten password reset policies
options offered in the login prompt are the user-defined security question and email
confirmation code.
Enabling forgotten password reset for Active Directory users
Set Allow password reset for Active Directory users to enable users with Active
Directory accounts who have forgotten their password to log in and reset their password. If
you do not set this policy, only users with Samsung SDS CellWe EMM user service accounts
have the “Forgot your password” link in their login prompt.
Notes


Active Directory users can also change their password from the user portal if the “Enable
users to change their passwords” policy is set to Yes.
To enable Active Directory users to reset a forgotten password (that is, reset their
password before they have logged in), the account in which the cloud connector is running
must have the Reset Password permission. Unless you changed the cloud connector
account after you ran the cloud connector installation wizard, the cloud connector is run as
a Local System account process. By default, a Local System account does not have the Reset
Password permission.
You have two options if you want to enable password reset for Active Directory users who
have forgotten their password:

Run the cloud connector under an account that has the Reset Password permission. If
you select this option, see “Modifying cloud connector account permissions” on page
218 to ensure that the account has the other permissions required.
To use this option, select the Use cloud connector running on privileged
account radio button.

Use an account with the required permission to reset the password. For example, any
account in the cloud connector’s Domain Admins group can reset another user’s Active
Directory account password.
To use this option, select the Use these credentials for password reset radio button
and enter the account name and password.
Setting password reset policy parameters
The additional policy parameters let you manage the following password reset behaviors:

Maximum forgotten password resets allowed within window
Use the drop-down list to set a maximum for the number of times users can reset their
password within the capture window. If users exceed this limit, the next time they
attempt to reset the password, they get a message that they have reset their password too
often and must wait before attempting again.
Chapter 7 • Managing policies
111


Password Settings - Setting password controls
Capture window for forgotten password resets
Use the drop-down list to set the time period for maximum forgotten password resets.
When users exceed the number or resets in this time period, they cannot reset the
password again. This value also specifies how long from the last reset attempt the user
must wait before they are allowed to reset the password.

Password Expiration Notification
Use the drop-down list to select the time frame for a notification message in the user
portal informing users that their password will expire.
The service is provided to users with Active Directory accounts only.
Escalated Password Expiration Notification
Note

Use the drop-down list to select the time frame for a change password dialog displayed
after the user logs in. The user can dismiss this dialog.
Note
The service is provided to users with Active Directory accounts only.
Password Settings - Setting password controls
You use the Password Settings for two purposes:

To modify the default password policy for Samsung SDS CellWe EMM user service
accounts—see “Modifying the default Samsung SDS CellWe EMM user service
password policy” on page 112.

To enable users with Samsung SDS CellWe EMM user service or Active Directory
accounts to change their password from the user portal—see “Enabling users to change
their password” on page 113.
Modifying the default Samsung SDS CellWe EMM user service
password policy
The default setting for each password property is shown in parenthesis; for example the
default minimum password length is 8 characters and requirement for a least one digit is
Yes.
Notes

Maximum password age:
If users do not reset their password before the Maximum password age period expires,
they are automatically prompted to reset it the next time they log in. Users must have
the “Enable users to change their passwords” policy set to Yes to reset their password.
If you have multifactor authentication enabled, users are prompted to create a new
password after they have fulfilled the multifactor authentication method.
Cloud Manager user’s guide
112

Password Settings - Setting password controls
Enter 0 (zero) if you don’t want to set a password expiration period.

Password history: Select 0 (zero) to let users use the same password.
To change the default password requirements for Samsung SDS CellWe EMM user service
accounts:
1 Open Admin Portal and click Policies, and select a policy set.
2 Under Policy Settings, expand Account Security Policies, and select Password
Settings.
3 Use the drop-down lists and text boxes to modify the default setting.
4 Click Save.
Enabling users to change their password
When you enable this policy, the Account page in the user portal displays an option that lets
users change their password. If you set this policy to No, the option is not displayed. This
policy applies to users with Samsung SDS CellWe EMM user service and Active Directory
accounts.
The default setting for this policy is Yes; that is, by default the Change Password option is
displayed on the Account page in the user portal.
Notes


If this policy is set to No and you use the Maximum password age policy to set an
expiration date for the password, users will not be able to reset their password. Instead,
an administrator will have to reset the password for them.
This policy effects the display of the Change Password option on the user portal Account
page only. Separately, you can set a policy that enables users to reset their password from
the user portal login prompt (for example, if they have forgotten their password). See
“Password Reset - Setting forgotten password reset policies” on page 109.
To prevent users from changing their password:
1 Open Admin Portal and click Policies, and select a policy set.
2 Under Policy Settings, expand Account Security Policies, and select Password
Settings.
3 Click the drop-down list for Enable users to change their passwords and select
No.
4 Click Save.
Chapter 7 • Managing policies
113

Application policies - Preventing users from adding applications
Application policies - Preventing users from adding
applications
By default, users can add web applications from the Samsung SDS CellWe EMM App
Catalog to their user portal and devices. You use this policy to prevent them from adding
applications from the user portal and using Infinite Apps.
Applications that were added by the user before the policy was changed are blocked by the
user portal. The icons are still displayed on the Apps screen and on their devices, however,
an error message is displayed when the user tries to open the application.
If you assigned any web applications for optional installation (see “Configuring automatic
versus optional deployment” on page 41), the applications are listed when the user clicks
the Add Apps button on the user portal. However, no applications from the application
catalog are listed.
Managing device configuration policies
When you use the Samsung cloud service for mobile device management, the cloud service
provides mobile device configuration policies you can set by using either the Admin Portal
or, if you have a CellWe EMM license, the Active Directory Group Policy Management
Editor. See “List of device configuration policies” on page 227 for a full list of the mobile
device policies available for Android, iOS, and Samsung KNOX devices.
Users can see the policies enabled on their Android devices on Setup tab in the Samsung
CellWe EMM client and on their iOS devices in the Settings application’s General/Profiles
screen.
This section contains the following topics:

“Selecting the policy management tool” on page 114

“Using Admin Portal to set device configuration policies” on page 115

“Using the Group Policy Management Editor to set mobile device policies” on page 116

“Reconciling policy settings in hierarchical policy sets and group policy objects” on page
118
Selecting the policy management tool
You select which tool you are going to use to manage group policies—Admin Portal or the
Active Directory Group Policy Management Editor—by using the Admin Portal Device
Policy Management setting (see “Selecting the policy service for device policy management”
on page 201). You must select one method or the other.
Note
You can switch from one tool to the other.
Cloud Manager user’s guide
114

Managing device configuration policies
How you set the policies depends upon which option you select for device policy
management (see “Selecting the policy service for device policy management” on page
201):

If you select Samsung SDS CellWe EMM policy service: You set policies by
creating and editing a policy set. Policy sets are managed from the Policies page in
Admin Portal.. Go to “Using Admin Portal to set device configuration policies” on page
115 to continue with managing mobile policies with Admin Portal.

If you select Active Directory group policy: You need to install the Samsung SDS
CellWe EMM cloud connector and select the group policy console extension (see
“Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles” on
page 208). Then go to “Using the Group Policy Management Editor to set mobile device
policies” on page 116 to continue with setting the policies.
Do not select Active Directory group policy if you do not have a Samsung CellWe EMM
License.
Using Admin Portal to set device configuration policies
You use device configuration policies to configure the settings in Android devices and
profiles in iOS devices when the user enrolls the device. To set device configuration policies
when you use the Samsung SDS CellWe EMM policy service for device policy management,
you create a new policy set or modify an existing policy set and then apply the policy set to
a role (see “Creating a policy set and assigning it to a role” on page 92). The Samsung cloud
service then installs the policy set in the devices enrolled by the users belonging to the role.
You can mix different types of devices in the same policy set.
The Samsung cloud service installs the policies initially when the user enrolls the device.
The policies are updated when the push delay period expires (see “Selecting the policy
service for device policy management” on page 201 to set the period) or you can force an
update after you make a change with a Admin Portal command (see “Using the device
management commands” on page 74) to push the update immediately.
The cloud service automatically updates the devices when you make changes too. You can
set how long it waits after you finish editing the policy in the when you select the Samsung
SDS CellWe EMM policy service for Device Policy Management (see “Selecting the policy
service for device policy management” on page 201).
Click the drop-down list to enable or disable the policy. Click the information bubble for
the configuration options.
The drop down menu provides the following options:

-- (Not configured): Select to keep the default value.
This is the default for all policies. The setting set by the device vendor remains in effect.
Users can change this setting using the device’s Settings screen if your device policies
allow them to modify settings.
Chapter 7 • Managing policies
115

Managing device configuration policies
The default setting can vary from one vendor to another.
If the same policy is set in a policy set higher up on the Policies page, the previous setting
is applied. See “Reconciling policy settings in hierarchical policy sets and group policy
objects” on page 118 for the details.
Note

Yes: Select to enable the feature or service.
When you set the policy to “Yes,” it allows the user to use that feature or service. For
example, if you set the “Permit camera use” policy in Common Mobile Settings to “Yes,”
the user is allowed to take pictures with the device’s camera.

No: Select to disable the feature or service.
When you set the policy to “No,” the user is denied use of the feature or service. For
example, if you set the “Permit camera use” policy to “No,” the user is not allowed to take
pictures with the device’s camera.
Some policies require additional configuration after you enable them. For example, after
you enable a Wi-Fi policy, you have to specify the SSID, password, and other
communication properties. For these policies, Admin Portal displays an Add button and
lets you create one or more profiles for that policy. Admin Portal lists the profiles so you
can manage them.
Using the Group Policy Management Editor to set mobile device
policies
You use device configuration policies to configure the settings in Android devices and
profiles in iOS devices when the user enrolls the device. To set device configuration policies
when you use Active Directory group policy for device policy management, you create a
new or modify an existing group policy object (GPO) by using the Group Policy
Management Editor and then link the GPO to an Active Directory organizational unit.
You then specify the organizational unit in the Device Enrollment Settings (see “Device
Enrollment Settings - Enabling users to enroll devices” on page 96. You can specify different
policies for different roles by creating a separate GPO and linking it to a different
organizational unit for each role—see “Configuring group policy objects and organizational
units” on page 204.
If you select Active Directory to set mobile device policies, the cloud service does not
install the group policy object settings in devices that are enrolled by users with Samsung SDS
CellWe EMM user service accounts. If you have some users with Active Directory accounts
and others with Samsung SDS CellWe EMM user service accounts, select the Samsung SDS
CellWe EMM policy service to define mobile device policies.
Note
The Samsung cloud service installs the policies initially when the user enrolls the device.
After that, the cloud connector polls Active Directory for changes to the group policy
object on a periodic basis. If it finds a change it updates the devices. You set the update
Cloud Manager user’s guide
116

Managing device configuration policies
interval when you configure the Device Policy Management (see “Selecting the policy
service for device policy management” on page 201).
It can take up to 10 minutes after polling for the cloud connector to install the new profiles
on all affected devices. However, if you make a lot of policy changes (for example, more
than 20) the cloud connector might issue the profile updates in multiple batches rather than
all at once.
Alternatively, you can force an update after you make a change with a Admin Portal
command (see “Using the device management commands” on page 74) to push the update
immediately.
Enabling policies in the Windows Group Policy Management Editor
The Samsung cloud service mobile device policies are listed alongside the Windows group
policies in the Group Policy Management Editor. You can mix different types of devices (for
example, Android and iOS devices) in the same group policy object.
You open the group policy object for editing and then expand the Samsung SDS CellWe
EMM Cloud Management Settings categories to expose the individual policies.
Double-click the policy to enable and configure it. Click the Explain tab for the
configuration instructions.
By default all mobile device policies are set to “Policy not configured.” Alternatively, a
policy can be set to “Policy enabled” or “Policy disabled.” These settings are defined as
follows:

Policy not configured: Select this to leave the device in its default setting.
This is the default for all policies. The setting set by the device vendor remains in effect.
Users can change this setting using the device’s Settings screen if your device policies
allow them to modify settings.
The default setting can vary from one vendor to another.
If the same policy is set in a parent group policy object or group policy object linked to a
parent domain, the policy set in the parent is applied. See “Reconciling policy settings in
hierarchical policy sets and group policy objects” on page 118 for the details.
Note

Policy enabled: Select this to set the policy.
“Policy enabled” has different options, depending upon the policy. For many policies, it
means that you are “turning on” this feature and setting associated values or properties.
For example, you enable passcode history so that the device saves the passcodes over time
and then configure how many passcodes you want to save. Or, you enable a virtual
private network (VPN) policy and specify the server and VPN type.
For other policies, you enable the policy and set it to “True” or “False.”

True: This means that you are going to impose the policy and you are going to allow
it. For example, you enable Bluetooth access policy to say “I am setting this policy” and
then set it to “True” to allow the user to have Bluetooth access.
Chapter 7 • Managing policies
117

Managing device configuration policies
False: This means that you are going to impose this policy and you are not going to
allow it. For example, you enable Bluetooth access policy to say “I am setting this
policy” and then set it to “False” to stop the user from using Bluetooth.
Policy disabled: Select this to defer setting this policy.


When you set the policy to this state, the device reverts to its default setting, regardless
of the settings set by the user or a parent group policy object. The default setting can be
different for different device vendors.
To enable a mobile device policy setting in the Group Policy Management Editor:
1 Open the Windows Group Policy Management administrative tool.
2 Right-click the group policy object and select Edit to open the Group Policy
Management Editor.
Alternatively, you can create a new group policy object by right-clicking the domain and
selecting Create a GPO in this domain, and Link it here.
3 Expand Samsung SDS CellWe EMM Cloud Management Settings.
4 Double-click a group policy to open the Properties window.
Use the Policy tab to enable the policy. Click the Explain tab for an explanation of the
policy and its options.
5 Click Policy enabled.
6 Select the options you want and enter or select the required values.
7 Click OK or Apply to save the setting.
Reconciling policy settings in hierarchical policy sets and group
policy objects
You can create hierarchical policy sets and group policy objects to apply different mobile
device policies to different sets of users. For example, if you are using the Samsung SDS
CellWe EMM policy service, you can create multiple policy sets and then arrange them
from bottom to top to set base and then role-specific policies (see “Using hierarchical policy
sets” on page 93), respectively. If you are using Active Directory, you can use the Default
Domain Policy and then create separate GPOs to link to different organizational units.
Using the Samsung SDS CellWe EMM policy service
If you are using the Samsung SDS CellWe EMM policy service, the policy options are “Yes,”
“No,” and “--” (not configured). If the policy is set to not configured, the device-default is
used.
When you set the same policy differently in multiple policy sets, the setting in the higher
policy sets on the Policies page replaces the setting in a lower policy set. The following table
Cloud Manager user’s guide
118

Mobile device configuration policies overview
lists the policy setting from the lower policy set in the rows and the policy setting from the
upper policy set in the columns and the setting that results on the device in the individual
cell.
Upper policy set
Yes
No
--
Lower policy set Yes
Yes
No
Yes
No
Yes
No
No
--
Yes
No
--
Notice that the upper policy set supersedes the lower except when the upper is set to “not
configured.” In this case, the lower setting is applied.
Using Active Directory
If you are using Active Directory, the policy options are “Policy not configured,” “Policy
enabled,” and “Policy disabled.” Active Directory settings are different from the Samsung
SDS CellWe EMM policy service policy options because the “Policy enabled” setting is used
to both allow and deny use of the feature or service and “Policy disabled” means “revert to
the device default.”
The following table lists the policy setting from the parent GPO in the columns and the
policy setting from the child set in the rows and the applied setting in the individual cell.
Parent GPO
Setting
Child GPO
Setting
Policy enabled
Policy disabled
Policy not
configured
Policy enabled
Policy enabled*
Policy enabled
Policy enabled
Policy disabled
Policy disabled
Policy disabled
Policy disabled
Policy not
configured
Policy enabled
Policy disabled
Policy not
configured
* The applied setting in this cell can be misleading. Although the policy is enabled in both
cases, if the parent GPO policy is set to “True” and the child GPO policy is set to “False,”
the setting applied is “False.” If you wanted to keep the setting set in the parent, you would
set the child to “Policy not configured.” (Setting to “Policy disabled” restores the default
setting.) This is the only cell in which the state can be misleading.
Mobile device configuration policies overview
The Samsung cloud service provides a comprehensive range of policies for managing the
security, features, and behavior of mobile devices.
Chapter 7 • Managing policies
119

Mobile device configuration policies overview
This section contains the following topics:

“Using the Common Mobile Settings” on page 121

“Using iOS settings” on page 122

“Using the Samsung KNOX Device Settings” on page 124

“Using the Samsung KNOX Workspace Settings” on page 127

“Using Touchdown settings” on page 131

“Configuring Exchange profiles” on page 131

“Configuring VPN profiles” on page 136

“Configuring Wi-Fi profiles” on page 139
Notes



Although policies are listed in the Active Directory Group Policy Management Editor
and Samsung CellWe EMM policy service, their availability is determined by the
licenses you have purchased. See “Understanding licensing” on page 228 for the details.
If you do not see the Samsung CellWe EMM Cloud Management Settings when you
open the Group Policy Management Editor, you need to install the Group Policy
Console Extension on your computer. See “Running the Samsung SDS CellWe EMM
Cloud Management Suite installer” on page 214 for the instructions.
Not all policies are supported in both the Group Policy Management Editor and the
Samsung CellWe EMM policy service. The policy summaries in “List of device
configuration policies” on page 227 indicate whether each policy is available in one or both
tools.
Cloud Manager user’s guide
120

Mobile device configuration policies overview
Using the Common Mobile Settings
Common Mobile Settings contains mobile device policies and two branches—Passcode
Settings and Restrictions Settings—with additional policies. See “Common Mobile
Settings” on page 228 for the full list of policies.
Policies and branches
To do this
Common
You can set the following policies:
• Enable debug logging. Turns on the debug logging mode (the
default is regular logging mode). When you set this policy, Enable
Debug Logging in the device’s Setting page is set.
• Encrypt internal onboard storage. Automatically encrypt the storage
area on Android devices.
Note: This policy is not supported on Samsung KNOX devices.
Restrictions Settings
Set rules governing the use of device features—for example, you can
control the following:
• whether or not the user can use the camera
• whether or not the user can wipe device
• whether or not the user can unenroll the device
• Whether or not the device reports the device location
Chapter 7 • Managing policies
121

Mobile device configuration policies overview
Policies and branches
To do this
Security Settings
Set the rules for Samsung SDS CellWe EMM client passcode
requirements on devices and device passcode requirements. Hover
your mouse over the information icon associated with each setting for
more detailed information.
Require Samsung SDS CellWe EMM client passcode on device -This setting must be set to “Yes” to configure the following rules
relating to Samsung SDS CellWe EMM client passcode use:
• Automatically locks the Samsung SDS CellWe EMM client on
devices after the specified number of minutes. If you configure this
option, users can not configure the Inactive Timeout value on their
devices.
• Specifies the need for users to enter the passcode after the Samsung
SDS CellWe EMM client has been closed. If you configure this
option, users can not configure the Lock on Exit switch on the
device.
Require passcode on device -- This setting must be set to “Yes” to
configure the following rules relating to governing passcode use:
• Allows a passcode with simple values
• Automatically locks the device after a specified number of minutes
• Specifies the maximum number of failed attempts before the device
is locked or wiped
• Specifies a grace period (such as amount of time before users need
to re-enter the passcode )
• Specifies the number of passcodes to store and compare against
new passcodes
• Specifies the number of days a passcode stays valid until users must
reset it
• Specifies the minimum number of complex characters required for
the passcode
• Specifies the minimum number of characters required for the
passcode
• Specifies the alpha numeric value requirement for the passcode
Wi-Fi Settings
Configure Wi-Fi profiles for iOS devices and Android devices other
than Samsung KNOX devices.
Using iOS settings
iOS Settings contains the policy you use to configure Exchange Sync communications on
the device and a set of restrictions settings. See “iOS Settings” on page 231 for the full list of
restriction settings.
Cloud Manager user’s guide
122

Mobile device configuration policies overview
In addition, you can configure the device to run in kiosk mode. In this mode, the device
runs a single application and lets you control the device’s operating features while that
application is running.
Policy and branches
To do this
Exchange Sync Settings
Configure the Exchange Sync profile for the iOS devices. For
example, define the Exchange Sync server name and an attribute
variable for the user name.
Restrictions Settings
Set rules governing the use of device features—for example,
permitting or prohibiting Safari, YouTube, and Photos Stream use and
setting requirements for encrypted backups and an iTunes Store
password.
Kiosk Mode
Put the device in single application mode and designate the home
launcher.
Use the “Enable kiosk mode” policy to allow just a single application
to run on the device and specify the application that will be the home
launcher. Then, you use the other policies in this category to manage
the user interface while the application is running.
After the application is installed, the device automatically opens to
kiosk mode.
You can specify the Samsung SDS CellWe EMM client by selecting
“Use MDM client as kiosk mode application.” When you select the
Samsung SDS CellWe EMM client, it behaves a little differently than
in when it’s launched from the home screen:
• There is no Authentication tab.
• All web applications open in the Samsung SDS CellWe EMM client
built in browser only.
• In the Settings tab, the Show Authenticator, Default Browser, and
Unenroll Mobile Device options are hidden.
Per app VPN settings
Map a mobile application to a specific VPN connection.
See “Configuring VPNs in iOS devices” on page 137 for more details.
Policies
To do this
Calendar settings
Synchronize calendar data on iPad, iPhone, and iPod touch devices.
Contacts settings
Synchronize contact data on iPad, iPhone, and iPod touch devices.
LDAP settings
Configure contact information profiles for LDAP servers
communications for iOS devices (Active Directory Group Policy
Management only)
Mail settings
Configure account profiles for IMAP and POP mail servers for iOS
devices.
Security and privacy settings
Enable the device to send diagnostic and usage data to Apple
VPN Settings
Configure VPN profiles for iOS devices
Chapter 7 • Managing policies
123

Mobile device configuration policies overview
Using the Samsung KNOX Device Settings
You use the policies in this category to configure VPN, Wi-Fi, and Exchange Sync
communications and a wide variety of other controls for Samsung KNOX devices. These
policies are applied to the device when the user is outside the KNOX container only.
The Samsung KNOX Device policies have been introduced over time with each new version
of the Samsung KNOX device’s mobile device management (MDM) software. The MDM
version required for the policy is shown in each policy’s configuration instructions and in
the tables in “Samsung KNOX Device Settings” on page 236.
All of the policies in the Samsung KNOX Device Settings can be applied to Samsung KNOX
version 1 and version 2 devices.
Policies
To do this
Exchange Sync Settings
Configure the Exchange Sync profiles for server communications and
account synchronization for the email application running outside the
KNOX container.
Note: You define the Exchange ActviceSync profile for server
communications and account synchronization for the email
application running inside the container separately in the Samsung
KNOX Workspace Settings.
VPN settings
Configure VPN connection profiles for Samsung KNOX devices and
applications running outside of the KNOX container.
Note: You define the VPN profiles for the KNOX container and
applications running inside the container separately in the Samsung
KNOX Workspace Settings.
APN Settings
Create Access Point Name profiles.
You can create multiple access point profiles. All of the profiles are
downloaded to the device, however, the only profile that appears in
the configuration is the profile in which the MCC and MNC in the
profile match the MCC and MNC in the SIM.
Wi-Fi Settings
Configure Wi-Fi connection profiles for Samsung KNOX devices.
Cloud Manager user’s guide
124

Mobile device configuration policies overview
Policies
To do this
Kiosk mode
Set the device to single application mode
Use the “Enable kiosk mode” policy to allow just a single application
to run and specify the application. Then, you use the other kiosk
policies to permit multiple windows, navigation and status bar
visibility, and task manager access when the device is in kiosk mode.
After the application is installed, the device automatically opens to
kiosk mode.
You can use either the native Android home screen, a custom
application, or the Samsung SDS CellWe EMM client as the home
launcher when the device is turned on.When you select the Samsung
SDS CellWe EMM client, it behaves a little differently in kiosk mode:
• There is no Authentication tab.
• All web applications open in the Samsung SDS CellWe EMM client
built in browser only.
• In the Settings tab, the Always Show Authenticator, Default
Browser, and Unenroll this device options are hidden.
When you select the Samsung SDS CellWe EMM client, the default is
to automatically update the software when there is a change. The
update is performed on the device at the time you select. If you
disable, updating the software is the same procedure as though you
were changing the home launcher—see “Changing home launchers”
on page 126 for the details.
IMAP and POP Settings
Create IMAP or POP profiles for the native email application installed
in personal mode.
Policy branches
To do this
Application Management
Define a variety of application usage restrictions, including
applications the user can or cannot install, launch, or stop; application
permissions; and applications whitelist and blacklist.
Bluetooth Settings
Configure a device’s Bluetooth interface
Device Inventory Settings
Enable or disable the device’s logs (for example, call information, WiFi network data bytes, and data network usage).
Firewall Settings
Configure URL filtering and iptable allow and deny rules.
Chapter 7 • Managing policies
125

Mobile device configuration policies overview
Policy branches
To do this
Passcode Settings
Set the rules governing password use in Samsung KNOX devices—
for example, forbidden strings, password pattern enforcement, and
minimum number of changed characters in a new password. This
category also includes policies that manage other password-related
behaviors including password and screen-lock visibility and wiping
external storage in the event the user fails to enter the correct
password.
There are several passcode policies labelled as Advanced. In the
Group Policy Management Editor they are listed in a separate
category and in the Samsung SDS CellWe EMM policy service they
are called out in the bubble text. Changing the settings in these
policies will require all users affected by this policy to change their
password regardless of whether their current password meets the new
criteria.
Notes:
• The Samsung default requirements set in the device may be
stronger than the values you set in the mobile device policies. If you
set a value that is weaker, the stronger policy is enforced.
• You set the rules governing the container passcode in a separate
policy—see the Samsung KNOX Workspace Container Passcode
settings.
Restrictions Settings
Set rules governing the use of device features. There’s a long list of
policies available to enable or disable such features as varied as
Bluetooth access, Android and S Beam use, audio recording, and
home-key functionality.
Note: You enable or disable Wi-Fi and VPN using the policies in this
policy category. However, you define the Wi-Fi and VPN profiles in
separate nodes.
Roaming Settings
Enable or disable operation of the device in roaming mode.
Security Settings
Enable or disable enrollment with an MDM server, enable a SIM card
lock, and encrypt or not encrypt the external storage.
VPN Restrictions
Configure to allow only IPsec or SSL/TLS VPN connections.
Wi-Fi Restrictions
Configure a wide variety of Wi-Fi network access point properties and
user privileges.
Changing home launchers
When you change the home launcher settings for Samsung devices, the device will not
display the newly selected launcher until the device has been reset to use the default
TouchWiz launcher.
To change the change the home launcher:
1 On the Kiosk Mode page, select No in the Enable Kiosk Mode dropdown. This selection
will allow the device to prompt for selection of the default TouchWiz launcher.
2 Click Save and push the policy to the devices.
Cloud Manager user’s guide
126

Mobile device configuration policies overview
3 Request the device user to select either of the two TouchWiz launcher options and Just
Once on the device.
4 On the Kiosk Mode page, select Yes in the Enable Kiosk Mode dropdown then select the
new launcher.
5 Click Save and push the policy to the devices.
The newly selected home launcher should now be available on the device.
Using the Samsung KNOX Workspace Settings
The Samsung KNOX Workspace Settings policies enable users to create a Samsung KNOX
enterprise container when they enroll their device and let you manage the policies settings
that apply when users are in the container. For example, you can configure separate
Exchange Sync, VPN, IMAP/POP email, firewall, and device restrictions settings for
Samsung KNOX containers.
The following tables summarize the policies in Samsung KNOX Workspace Settings. See
“List of device configuration policies” on page 227 for the full list.
See “Working with Samsung KNOX devices” on page 80 for procedures that show you how
to use a KNOX Workspace Settings policy to enable users to create a Samsung KNOX
container and add a mobile application to the Applications SSO whitelist.
Samsung KNOX Workspace policies
Policy
To do this
Configure applications that can Synchronize data between the personal and KNOX mode instances of
sync with container
the Contacts and S Planner (Calendar) applications.
Chapter 7 • Managing policies
127

Mobile device configuration policies overview
Policy
To do this
Enable Common Criteria mode Enable the following policies for Samsung Workspace devices only:
• Common Mobile Settings/Encrypt internal onboard storage
The user encrypts the internal onboard storage from the SETUP
REQUIRED screen in Samsung SDS CellWe EMM client.
• Common Mobile Settings/Passcode Settings/Maximum number of
failed attempts
The number of failed attempts is set to the value you set in the
Enable Common Criteria mode policy for the Samsung devices
only.
• Samsung KNOX Device Settings/Security Settings/Encrypt
removable storage
The user encrypts the removable storage from the SETUP
REQUIRED screen in Samsung SDS CellWe EMM client.
In addition, when you set Enable Common Criteria mode, the
Common Mobile Settings/Passcode Settings/Passcode History policy
is disabled.
The policy settings are implemented on the devices only—they are not
indicated in the Admin Portal policy set or the Active Directory group
policy object. This allows you to have separate settings for these
policies for other types of devices.
Common Criteria mode puts the target device in an operational mode
that enforces the following security features and policies:
• Bootloader blocks KIES download mode, enforces an integrity
check of the kernel, and self-tests the crypto modules.
• The device verifies additional signature on firmware-over-the-air
(FOTA) updates using RSA-PSS signature and uses FIPS 140-2
validated crypto module for EAP-TLS wi-fi connections
This policy is only available on the following KNOX 2 devices:
Galaxy S4, Galaxy S5, Galaxy Note 3, Galaxy NotePro, Galaxy Note
10.1 and Galaxy Note 10.1 2014 Edition.
Enable Enterprise Billing
Enterprise Billing
Enable separate bill generation for personal and enterprise data usage.
To enable enterprise billing, two different Access Point Names
(APNs) are configured on the KNOX device. Personal data is routed
via the default APN and enterprise data is routed via the dedicated
enterprise APN specified in the policy.
Note: This policy is only available for KNOX 2.1 devices.
Enable KNOX container
Enable the device to allow the user to create a Samsung KNOX
enterprise container after the device is enrolled.
See “Enabling the device to allow users to create an enterprise
container” on page 83 for more details.
Note: On some Samsung devices, users can also create a KNOX
personal container. You do not need to set a policy to allow them to
create the personal container.
Cloud Manager user’s guide
128

Mobile device configuration policies overview
Policy
To do this
Enable ODE Trusted Boot
verification
Enable to consider attestation state before decrypting the data
partition.
Attestation confirms that the boot loader, kernel, and system software
have not been tampered with. Attestation is performed when the user
boots the device and periodically thereafter. The current attestation
status is shown in the device details in Admin Portal.
Enable TIMA Key Store
Enable to use the TIMA key store to store symmetric keys, RSA key
pairs and certificates. The TIMA key store is implemented as a key
store provider for the Java Keystore class. When this policy is
enabled, it provides TrustZone-based secure storage and controls
access based on the attestation state.
Attestation confirms that the boot loader, kernel, and system software
have not been tampered with. Attestation is performed when the user
boots the device and periodically thereafter. The current attestation
status is shown in the device details in Admin Portal.
Require attestation verification Enable to consider attestation state before allowing the user to create a
KNOX container.
Attestation confirms that the boot loader, kernel, and system software
have not been tampered with. Attestation is performed when the user
boots the device and periodically thereafter. The current attestation
status is shown in the device details in Admin Portal.
VPN Settings
Configure VPN profiles for Samsung KNOX Workspace devices.
Samsung KNOX Workspace Container categories and policies
Policies
To do this
Enable Google Play store
Allow users to install applications in a KNOX version 2 container
from Google Play.
Note: This policy does not apply to devices with KNOX version 1
containers.
Exchange Sync Settings
Configure the Exchange Sync profiles for server communications and
account synchronization for the email application running in the
Samsung KNOX container.
IMAP and POP Settings
Configure account profiles for IMAP and POP mail servers.
These settings only apply to the mail application running in the
Samsung KNOX container.
Per app VPN settings
Map a mobile application to a specific VPN connection for
applications installed in the container.
You can specify multiple VPN profiles and application pairs. You
configure the VPN profiles in the Samsung KNOX Workspace VPN
Settings policy.
Chapter 7 • Managing policies
129

Mobile device configuration policies overview
Categories
To do this
Application Management
Define a variety of operating parameters for applications installed in
the container. For example, policies are provided that let you set the
following:
• Define which mobile applications are allowed to use the KNOX
container single sign-on service.
• Define which applications can be installed and added to the home
screen.
• Define which applications can synchronize data with applications
outside the container.
• Define which applications are disabled.
Note: If you are installing any applications that use the Samsung
KNOX SSO service you must add them to the Application SSO
whitelist policy in this category before users can open them. See
“Adding mobile applications that use SSO to the Application SSO
whitelist” on page 87 for the details.
Browser Settings
Control browser behavior—for example, enable or disable pop-up
windows, cookies, and JavaScript
Container Account Settings
Create a whitelist and blacklist of user accounts to limit the types of
accounts users can create in the KNOX container.
Email Settings
Control email application behavior—for example, prohibit adding
new accounts and forwarding email through a personal account.
Firewall Settings
Configure URL filtering and iptable allow and deny rules.
Passcode Settings
Configure rules governing passcode properties (for example,
minimum length, character occurrence, number of complex
characters, and sequence length), usage (for example, number of
failed attempts, visibility, and history), and quality.
Notes
• The Minimum password length policy sets the minimum length for
the password and the PIN.
• The “Require two factor authentication” policy is only available for
devices that have a fingerprint reader and applies only to opening
the container. (It does not apply to opening the device.)
• There are several more passcode policies in the Advanced
category. Changing the settings in these policies will require all
users affected by this policy to change their password regardless of
whether their current password meets the new criteria.
Restriction Settings
Cloud Manager user’s guide
Permit or prohibit use of container and device features, such as
moving files between the device and the container, screen capture, the
camera, and more.
130

Mobile device configuration policies overview
Samsung KNOX Workspace Device policies
Policies
To do this
Enable Audit Log
Enable the device to keep an activities log.
You can fetch the audit log using a Admin Portal command.
Enable certificate validation
before installation
Validate the certificate before installation in the device's certificate
store
Enable revocation check for
application SSL connections
Specify applications to check for certificate revocation
Per app VPN settings
Map a mobile application to a specific VPN connection for
applications installed in personal mode (outside the container).
You can specify multiple VPN profiles and application pairs. You
configure the VPN profiles in the Samsung KNOX Workspace VPN
Settings policy.
Trusted certificate authorities
Add a list of trusted CA certificates
Using Touchdown settings
You use this Exchange Sync Settings to define the Exchange Sync profile on Android devices
that use the Touchdown application for email.
Configuring Exchange profiles
You use the Exchange Sync Settings policy to configure Exchange account profiles that
are downloaded to devices by the Samsung cloud service. Each profile defines the security
and synchronization properties assigned to a specific Exchange Sync server. You must create
a separate profile for each Exchange server.
You configure the Exchange Sync server profile separately for each type of device. For
example, if your users have a mix of Android, iOS, and Samsung KNOX devices, you would
define profiles in the following branches:

Touchdown Settings: You use this policy for Exchange Sync configuration for Android
devices that do not provide a configurable email client.
Touchdown policy is not supported on Samsung KNOX devices. Use the Exchange
policies instead.
iOS Settings: Use these policies for the iOS devices that use Exchange Sync servers.
Note

If you have a POP or IMAP server for your iOS email, do not use this policy.
Instead, use the iOS Settings > Mail settings policy instead.
Samsung KNOX Device Settings: Use the policy in this category to configure the email
application installed outside the Samsung KNOX container.
Note


Samsung KNOX Workspace Container Settings: Use the policy in this category to
configure the email application installed inside the KNOX container.
Chapter 7 • Managing policies
131

Mobile device configuration policies overview
You can have separate policies for the email application running outside and inside
the container on Samsung KNOX Workspace devices.
Note
Do not create multiple profiles for any one platform (for example, an iOS or Android
device) in the same group policy object or policy set unless each profile applies to a
different Exchange server.
Setting the user name
If you are using Active Directory or another LDAP server as your ID repository, you can use
an attribute variable to specify an account’s user name. You can use any Active Directory/
LDAP attribute that contains the user’s name, but the most useful ones are the following:
Active Directory/LDAP
attribute
Enter this variable
userPrincipalName
%{userPrincipalName}
samAccountName
%{samAccountName}
For example, the following Exchange profile for an iOS device uses the Active Directory/
LDAP userPrincipalName variable in the User Name field:
When a user enrolls a device, the cloud service contacts Active Directory/LDAP to resolve
the user name attribute value for that device.
When an authentication domain is specified in the profile, the cloud service builds the user
name with the authentication domain first, followed by a backslash and then the user name.
For example, the cloud service would resolve the following values to user name
gmail.com\j.weeks:

Active Directory/LDAP user: [email protected]

Authentication Domain: gmail.com

User Name attribute variable: %{samAccountName}
Cloud Manager user’s guide
132

Mobile device configuration policies overview
Using certificates
You can configure the profile so that the cloud service installs a certificate generated either
by the Samsung SDS CellWe EMM cloud CA or the Active Directory Certificate Services
certification authority you designated (see “Selecting the policy service for device policy
management” on page 201). The certificate, regardless of the source, is automatically
generated and installed in the device when the user enrolls the device.
When you use a certificate for authentication be sure to set the “Provide client certificate”
option in the profile.
If you are using the Samsung SDS CellWe EMM policy service for device management
policy, the Samsung SDS CellWe EMM cloud CA is used to generate certificates. If you’re
using Active Directory group policy for device management policy, the Windows
Certificate Authority server is used to generate certificates. You cannot have a hybrid in
which, for example, you select the Samsung SDS CellWe EMM policy service for device
management policy but use the Windows Certificate Authority server is used to generate
certificates.
Some configuration is necessary to Windows servers if you are using either source:

If the cloud service uses the Samsung SDS CellWe EMM cloud CA to generate
certificates, you must modify the configuration of the Exchange server—see “Modifying
the IIS (Web) and Exchanger servers configuration for Samsung SDS CellWe EMM
cloud CA certificates” on page 133.

If the cloud service uses the Windows Certificate Authority to generate certificates, you
must create a certificate computer and/or user templates on the Windows Certificate
Authority server first. See “Using Active Directory certificates in devices for
authentication” on page 222 for the details.
Modifying the IIS (Web) and Exchanger servers configuration for Samsung SDS
CellWe EMM cloud CA certificates
There are two phases to configuring the Exchange server to trust the Samsung SDS CellWe
EMM cloud CA

Adding the Samsung SDS CellWe EMM cloud CA certificate.

Configuring IIS to support client certificate authentication.
The following procedures illustrate one way to perform these tasks. However, if you have
more familiar procedures you can use them.
To add the Samsung SDS CellWe EMM cloud CA certificate to the Exchange server:
1 Open Admin Portal, click Settings, and click Certificates.
Click Download and copy the certificate to a folder you can access from the Exchange
server.
Chapter 7 • Managing policies
133

Mobile device configuration policies overview
2 Open the Exchange server using an administrator account enter the following PowerShell
command:
certutil -dspublish <cert name>.cer NTAuthCA
where <cert
name> is
the name of the certificate you downloaded in Admin Portal.
This command enters the certificate into the Active Directory configuration container.
To confirm, you can open ADSI Edit and expand the Configuration container to
CN=Public Key Services. The certificate should be added to the list.
3 Open the Certificate Import Wizard.
For example, double click the certificate’s file icon to open the Certificate Import Wizard
and click Install Certificate.
4 Select Local Machine and click Next.
5 Select Automatically select the certificate store based on the type of
certificate and click Next.
6 Click Finish.
7 Click OK to exit the wizard.
To configure the IIS connections to support client certificate authentication:
1 On the Exchange server select Connections configuration and click the Exchange server
node.
Cloud Manager user’s guide
134

Mobile device configuration policies overview
2 Open the Authentication icon.
3 Enable Active Directory Client Certificate Authentication.
4 Expand Default Web Site and click Microsoft-Server-ActiveSync.
5 Open the Authentication icon.
6 Disable all of the authentication methods.
7 Under IIS, open the SSL Settings (not shown in this picture).
8 Set Require SSL and for Client certificates select either Accept or Require.
9 Open the Configuration Editor icon.
10 Expand system.webServer > security > authentication and enable
clientCertificateMappingAuthentication.
11 Expand Exchange Back End and select Microsoft-Server-ActiveSync.
12 Open the Authentication icon.
13 Enable Anonymous Authentication and Windows Authentication.
14 Open the SSL Settings.
15 Set Require SSL and for Client certificates select either Accept or Require.
Chapter 7 • Managing policies
135

Mobile device configuration policies overview
Configuring VPN profiles
You use the VPN Settings policy to configure profiles that are downloaded to devices by the
cloud service. Each profile defines a VPN connection name, the server name, VPN type
(PPTP, IPsec, SSL third party VPN), and other properties.
You configure a VPN connection profiles separately for each type of device associated with
either the policy set (when you use the Samsung SDS CellWe EMM policy service for
device management policy or group policy object (when you use Active Directory group
policy for device policy management. For example, if your users have a mix of Samsung
KNOX devices and iOS devices, you would define profiles in the following categories:

iOS Settings: Define profiles for the iOS devices.
You can configure a single VPN profile for all mobile applications or you can create
multiple profiles and map each one to different applications.


Samsung KNOX Device Settings: Define profiles for the Samsung KNOX devices that
do not have a Workspace license.
Samsung KNOX Workspace Settings: Define profiles for use inside and outside the
container on devices with a Workspace license.
The VPN profiles in Samsung KNOX Workspace devices are configured separately for
device and container use. See “Configuring VPN profiles for KNOX devices” on page
138.
Do not define multiple profiles for the same VPN server for the same device type.
Certificate-based authentication is available for VPN connections. When the profile
specifies certificate authentication, the cloud service calls either the Samsung SDS CellWe
EMM cloud CA or the Active Directory Certificate Services certification authority server
you designated in (see “Selecting the policy service for device policy management” on page
201) to create the certificate when the user enrolls the device and then automatically installs
it on the device.
“Configuring a VPN to use certificates for authentication” on page 136 has more details if
you plan to use certificates for authentication.
Configuring a VPN to use certificates for authentication
When you use certificates for authentication, the user or computer certificate is
automatically generated and installed when the user enrolls the device. If you are using the
Samsung SDS CellWe EMM policy service for device policy management, the cloud service
uses Samsung SDS CellWe EMM cloud CA to generate the certificate. If you are using
Active Directory group policy for device policy management, the cloud service uses the
Windows certification authority server you designated in the cloud connector to generate
the certificate.
Cloud Manager user’s guide
136

Mobile device configuration policies overview
If the cloud service uses the Windows certification authority server, you need to create the
user and computer certificate templates—see “Using Active Directory certificates in
devices for authentication” on page 222 for the details.
When you configure the policy in the Samsung SDS CellWe EMM policy service, you may
need to upload the certificate for the certification authority that issued the certificate for
the VPN concentrator. You don’t need to upload the certification authority’s certificate if
the VPN concentrator’s certificate was issued by a well-known, commercial, certification
authority or is self-signed. However, if the VPN concentrator’s certificate is neither, you
need to upload the certification authority's certificate to the cloud service. You upload this
certificate using the VPN Setting policy.
See your VPN concentrator or server vendor’s instructions for uploading the Samsung SDS
CellWe EMM cloud CA certificate. You create a Samsung SDS CellWe EMM cloud CA
certificate for uploading by clicking Download on the Device Policy Management page in
Admin Portal Settings (see “Selecting the Samsung SDS CellWe EMM policy service” on
page 202).
Configuring VPNs in iOS devices
You can define a VPN connection profile in the VPN Settings policy for use by all
applications or only for use by an individual application. If you set the profile for “only for
selected applications,” you assign the VPN profile to the application in the Per App VPN
settings policy.
Some VPN clients do not support both options. For example, the Cisco client supports
the “VPN is only for selected applications” only.
Note
When you set a VPN connection “only for selected applications,” you can also configure it
to auto connect when the application is opened. There are two settings available:

Auto connect when the application is launched: Set this option if you are
assigning the VPN to native iOS applications.

Auto connect when visiting the below domains: Use this option to open the
connection automatically when the user opens a web application from Safari. Enter the
web application’s domain name to automate opening the connection.
To open the VPN connection automatically from the Samsung SDS CellWe EMM
client browser, map the following package name to the VPN connection in the Per App
VPN settings policy:
com.centrify.samsung.knoxemm
Note
If you are using one profile for all applications, you can use certificates for authentication by
selecting Third Party VPN as the VPN type in the General tab and then in the Security tab
selecting Certificate for User Authentication. When you select Certificate, you need to
specify the file name for the VPN server certificate in the VPN CA Certificate field.
Chapter 7 • Managing policies
137

Mobile device configuration policies overview
Configuring VPN profiles for KNOX devices
You create VPN profiles for KNOX Workspace devices in either or both the Samsung
KNOX Device Settings and the Samsung KNOX Workspace Settings, depending upon
whether or not you have Samsung KNOX Workspace devices.
When you create the profile for a Samsung KNOX Workspace device, you may have the
option to designate it for one of two purposes, depending upon the VPN client you are
using on the device:

VPN for all mobile applications—Mocana (IPSec), F5 (SSL), and Juniper (SSL) clients

VPN is only for selected mobile applications—Mocana (IPSec), F5 (SSL), Juniper (SSL)
and Cisco (IPSec and SSL) clients
(These options are not available for VPN profiles in the Samsung KNOX Device Settings.)
If you select “VPN for all applications,” you create one VPN profile, and it is used by all of
the mobile applications installed in personal mode and inside the KNOX mode container.
If you select “VPN is only for selected applications,” you can create multiple VPN profiles
and then you use the “Per app VPN settings” policy in the Device Settings and Container
Settings to map a profile to specific mobile applications. The mappings in the Device
Settings category apply to the mobiles applications installed in personal mode and the policy
in the Container Settings category for mobile applications installed in the KNOX mode
container.
The “Per app VPN settings” policy Explain tab in the Group Policy Management Editor and
tooltip help in the Samsung SDS CellWe EMM policy service explain how to set a single
VPN profile for use by all applications or different VPN profiles for individual applications.
Notes

When you use Active Directory group policy for device policy management, you can
specify certificate-based authentication for Samsung KNOX Workspace devices with
SSL-type VPNs using either the Juniper or F5 client. For IPSec type VPNs, you can
specify certificate-based authentication using the Mocana client. (Certificate-based
authentication is not available for Active Directory users using the Cisco client.)
To use certificates, you must create a user and computer certificate template on the
Windows certification authority server first. See “Using Active Directory certificates in
devices for authentication” on page 222 for the details.

Similarly, when you use the Samsung SDS CellWe EMM policy service for device policy
management, the Juniper and F5 SSL clients and Mocana IPSec client support
certificate-based authentication. (Again, the Cisco based clients do not support
certificate-based authentication.)
When you configure the policy in the Samsung SDS CellWe EMM policy service, you
need to specify the VPN server’s certificate file in the profile to upload it to the cloud
service.
Cloud Manager user’s guide
138


Mobile device configuration policies overview
There is a slight operational difference for devices with KNOX 1 versus KNOX 2
containers. From the policy configuration perspective, there is no difference. That is,
configuring the VPN and Per app VPN policies are the same regardless of the container
version.
However, users with KNOX 2 containers will have two VPN clients installed: one
outside the container and one inside the container. (The Samsung SDS CellWe EMM
client automatically installs both copies when you deploy the VPN client software from
Admin Portal.) In addition, if users are required to enter their password to open the
VPN, they will have to provide their password for both clients. On KNOX 1 devices, just
one VPN client is installed.


When you configure the VPN profile for the Juniper client, you must specify the
authentication realm and User role fields. However, you can leave the User name field
blank. Users can fill in this field in the Samsung SDS CellWe EMM client when they
configure the VPN settings.
If you are using the Mocana VPN client, you must use a version later than 2.3.6.
Configuring Wi-Fi profiles
You use the Wi-Fi Settings policy to configure profiles that define the security type (for
example WPA or WEP), accepted EAP types, and other properties for a Wi-Fi service set
identifier (SSID).
You configure Wi-Fi profiles for iOS and Android separately from Samsung KNOX devices:

Use the Common Mobile Settings for the iOS and Android devices.

Use Samsung KNOX Device Settings for all Samsung KNOX devices.
The Samsung KNOX Device Settings provide additional policies in the Wi-Fi
Restrictions category. You use them to control the users ability to modify the wi-fi
connections in the Samsung device’s Settings application. However, these go into effect only
for the profiles you define in Samsung KNOX Device Wi-Fi settings.
You can define separate Wi-Fi profiles for the same SSID in the Common Mobile Settings
and Samsung KNOX Device Settings.
Certificate-based authentication is available for establishing a Wi-Fi connection. If you are
using the Samsung SDS CellWe EMM policy service for device policy management, you use
Admin Portal to create a policy set with the Wi-Fi profiles. In this case, the certificates are
automatically issued by the Samsung SDS CellWe EMM cloud CA and installed by the cloud
service when the user enrolls the device. You must select either WEP Enterprise or WPA/
WPA2 Enterprise as the Security type on the General tab and TLS as the EAP type to use
certificates.
When you configure the policy in the Samsung SDS CellWe EMM policy service, you may
need to upload the certificate for the certification authority that issued the certificate for
the Wi-Fi access point. You don’t need to upload the certification authority’s certificate if
Chapter 7 • Managing policies
139

Mobile device configuration policies overview
the access point’s certificate was issued by a well-known, commercial, certification
authority or is self-signed. However, if the access point’s certificate is neither, you need to
upload the certification authority's certificate to the cloud service. You upload this
certificate using the Wi-Fi Setting policy.
See your Wi-Fi access point vendor’s instructions for uploading the Samsung SDS CellWe
EMM cloud CA certificate. You create a Samsung SDS CellWe EMM cloud CA certificate
for uploading by clicking Download on the Device Policy Management page in Admin
Portal Settings (see “Selecting the Samsung SDS CellWe EMM policy service” on page 202).
If you are using Active Directory group policy for device policy management, you use the
Active Directory Group Policy Management Editor to create the Wi-Fi profiles. In this
case, the certificates are automatically issued and renewed by the Active Directory
Certificate Services certificate server you designate (see “Selecting the policy service for
device policy management” on page 201) and installed by the cloud service when the user
enrolls the device. You must create user and computer templates for the certificates on the
Windows Certificate Authority server. See “Using Active Directory certificates in devices
for authentication” on page 222 for the details.
Cloud Manager user’s guide
140
Chapter 8
Managing roles
The Roles page lists the default cloud service roles plus the roles you have added. You can
use the column headers to sort the applications by name, type, description, and status.
Your role must have the Roles Management administrative right to view, add, and
modify roles. See “Creating cloud service administrators” on page 146 for the details.
Note
Admin Portal roles are sets of user accounts. A role can also contain other user service roles
and, if you are also using Active Directory/LDAP as an ID repository, Active Directory/
LDAP user accounts and groups. Users can be members of multiple roles.
You use roles to assign applications, permissions, and policies to separate sets of users. This
chapter contains the following topics:

“Using roles” on page 141

“Predefined roles” on page 142

“Creating a role” on page 143

“Adding and removing users and groups to and from roles” on page 144

“Assigning applications to and removing them from roles” on page 145

“Creating cloud service administrators” on page 146

“Managing Samsung Marketplace roles” on page 149

“Deleting roles” on page 151
Using roles
You create roles to assign applications, administrative rights, and policies to separate sets of
users.

Assigning applications: User access to the mobile and web applications you add
from the Apps page in Admin Portal is controlled by the roles. See “Assigning
applications to and removing them from roles” on page 145 for the details.
The user’s user portal displays just the web applications assigned to that user’s role or
roles. If you are using the Samsung cloud service for mobile device management, the
Samsung SDS CellWe EMM client lists just the web applications assigned to the user’s
roles.
You select the roles when you add the application. You can also add applications that are
already listed on the Apps page in Admin Portal from the role details page.
141


Predefined roles
Assigning administrative rights for cloud service administrators: The cloud
service provides a set of administrative rights (also referred to as “permissions”) that let
you control what cloud service administrators can do in Admin Portal. See “Assigning
applications to and removing them from roles” on page 145 for a description of the
rights and how to assign them.
In version 14.9 and earlier, you used the Enroll Devices permission to enable users
to enroll devices. In later versions of the cloud service this is replaced by the Device
Enrollment Settings. See “Device Enrollment Settings - Enabling users to enroll devices”
on page 96 to update your environment.
Assigning policies: You can assign device, security and application policies to role. In
addition, if you are using the Samsung SDS CellWe EMM policy service for mobile
device management, you can assign mobile device policy sets to roles. See “Managing
policies” on page 91 for description of the policies.
Note

Predefined roles
The Samsung cloud service provides two predefined roles:

Everybody: By default, all Samsung cloud service users are assigned to this role. For
example, all users that are added to the Samsung SDS CellWe EMM user service by
using bulk import are added to the Everybody. Similarly, if you are using Active
Directory/LDAP as your directory service, users are automatically added to Everybody
when they log in to the Samsung SDS CellWe EMM user portal the first time or enroll a
device. When you add an individual user, the default setting is to add the account to the
Everybody role.
It is best practice to assign most users to the Everybody role. For example, the Samsung
SDS CellWe EMM User Portal application is automatically assigned to members so that
they can log in to the user portal. However, there are users you may not want to have in
the Everybody role; for example, temporary users such as service contractors. Users that
are not assigned to the Everybody role cannot log in to the user portal until they are
members of a role to which you have explicitly deployed the Samsung SDS CellWe EMM
User Portal application. (See “Deploying the Samsung SDS CellWe EMM User Portal
application” on page 36 for more information.)

Invited Users: This role is created when you use the Invite Users button and select
Invited Users as the Role. The Samsung SDS CellWe EMM User Portal application is
automatically assigned to this role.
If you do not use the Invite users button or select the Invited Users role when you
invite a user, this role is not created.
sysadmin: This role grants full access to all Admin Portal settings. By default, the
Samsung SDS CellWe EMM user service account for the user who signed up for the
Note

Cloud Manager user’s guide
142

Creating a role
Samsung cloud service is a sysadmin role member. You cannot delete or rename the
sysadmin role.
Only sysadmin role members can add more users to the sysadmin account.
Creating a role
To create a role, you open Roles page in Admin Portal and click Add role. Only members
of the sysadmin role or members of role with the Role Management permission can create a
role.
Creating a role is a three-part process:

First, you create the role and enter a description (see “To create a role:” on page 143).


Second, you select the role and click the tabs to add the members—see “Adding and
removing users and groups to and from roles” on page 144.
Third, you assign applications to the role—see “Assigning applications to and removing
them from roles” on page 145.
If you are creating a cloud service administrator role, there’s a fourth step: adding
administrative rights (permissions)—see “Creating cloud service administrators” on page
146.
Note
The following procedure creates a role—the first part of the process. The new role is added
to the Roles page. It has no members, no administrative rights, and no assigned
applications.
Subsequent sections describe how you add users, define administrative rights, and assign
applications.
To create a role:
1 In Admin Portal, click Roles.
2 Click Add Roles.
Admin Portal displays the Add Roles dialog box.
3 Enter the role name and a description and click OK.
The role name can contain letters and numbers. You cannot use special characters or
spaces. Be sure to give the role an appropriate and somewhat user-friendly name because
the roles you create are displayed as application tags in the user portal.
Note
You cannot rename roles.
4 Click Save.
Chapter 8 • Managing roles
143

Adding and removing users and groups to and from roles
Adding and removing users and groups to and from roles
You open the role and click the Members tab to add and remove Samsung SDS CellWe
EMM user service accounts and roles to and from a role. If you are also using Active
Directory/LDAP for user authentication, you can add Active Directory/LDAP user
accounts and groups to a role.
The cloud service assigns applications and applies the administrative rights selected to all
role members. For example, if you add an Active Directory/LDAP group to a role, the
applications assigned to that role are now available to members of that group. Similarly,
when you remove a user from a role, the cloud service deletes all the web applications
assigned to that role from the user portal and enrolled devices.
When you use the Samsung SDS CellWe EMM policy service to manage mobile device
policies, the cloud service installs the policy sets based on the users roles.
You can add a Samsung SDS CellWe EMM user service role to a role. This is referred to as
“nesting a role.” When you add a role to a role, the nested role members get all of the
applications and rights assigned in the parent role. However, the applications and rights
inherited from the parent are not displayed when you select the nested role. Only the nested
role members have use of the rights and applications assigned to the nested role—the
parent role members do not.
When you change a user’s role, it changes the applications assigned to the user. The changes
appear the next time the user logs in to the user portal or their device. If the user is logged
in the changes do not appear immediately. Users can refresh their user portal or device
Apps display to update the applications. You can push the changes to the users for
immediate update by selecting the role members on the Users page and sending the Reload
command.
Any changes in the administrative rights when you add or remove users from a role are
effective the next time the user logs in to Admin Portal. Alternatively, you can use the
Reload command (right-click the user account on the Users page in Admin Portal) in the
to push the most recent permissions to the user.
To add users or groups to a role:
1 In Admin Portal, click Roles.
2 Click the desired role.
3 Click Members.
4 Click Add.
The Add Members dialog box appears.
5 Enter the beginning part of the user’s login name, Active Directory/LDAP group name,
or Samsung cloud service role and press Enter.
Cloud Manager user’s guide
144

Assigning applications to and removing them from roles
When you stop, the pane is automatically updated with all matching user service accounts
and roles and, if you are using Active Directory/LDAP as an identity store, all of the
matching users accounts and groups in the Users container in all of the domains the cloud
connector can “see” in the tree or forest. (See “Supporting user authentication for
multiple domains” on page 211 for more information on which domains can be “seen.”)
6 To add an account, group, or role to the role, click the check box and click Add.
Click Add again and repeat the previous steps to add more accounts.
7 After you finish adding users and groups, click Save.
To remove a role member:
1 In Admin Portal, click Roles.
2 Click the role.
3 Click Members.
4 Click the check box for each member you want to remove.
The Add button is replaced by an Actions button.
5 From the Actions drop-down menu, click Delete.
6 Click Save.
Assigning applications to and removing them from roles
The role’s details page displays the applications assigned to it. You can use either this
window or the User Access window in the application’s configuration page (see “Removing
an application” on page 46) to assign an application to a role.
Role members who are logged in to the user portal see the changes within seconds. On the
role members’ devices, the change appears the next time they open the Samsung SDS
CellWe EMM client. Alternatively, they can refresh the Apps screen to see the changes
immediately.
To add applications to a role on the Roles page:
1 In Admin Portal, click Roles.
2 Click the role.
3 Click Assigned Applications.
4 Click the Add button.
The Add Applications pop up window contains all of the applications listed on the Apps
page, including the applications that have already been assigned to the role.
Chapter 8 • Managing roles
145

Creating cloud service administrators
To search for an application, enter the first few characters in the name. When you stop,
the pane contains all applications that match the string.
5 To add an application, click the check box.
You can select multiple applications. Click Add.
To add more applications, click the Add button again, enter the search string, and click
Add again.
6 Click Save.
To remove applications assigned to a role on the Roles page:
1 In Admin Portal, click Roles.
2 Click the role.
3 Click Assigned Applications.
4 Click the check box for the applications you want to remove.
The Add button is replaced by an Actions button.
5 From the Actions drop-down menu, click Delete.
6 Click Save.
Creating cloud service administrators
You use roles to create cloud service administrators. Only users in the sysadmin role and
users in roles with administrative rights other than Enroll Devices can open the Admin
Portal.
To create a cloud service administrator, you create a role, assign one or more Admin Portal
administrative rights, and then add users to the role. The administrative rights let you
define roles with separate application, user, device, report, and role management
permissions.
For example, you can create an role that limits the administrator to managing applications
and the application-to-roles assignments only. In this role, the administrators can perform
all the functions on the Apps page and see the contents of the Users and Roles pages.
However, they get an error message when they try to make a change on the Users and Roles
pages. In addition, the Devices page for these administrators is blank.
Similarly, you can create administrative roles with just device, user, and report management
permissions.
Cloud Manager user’s guide
146

Creating cloud service administrators
System administrator role permissions
The sysadmin role members have access to all Admin Portal tabs and the Samsung SDS
CellWe EMM cloud connector configuration program settings and are the only
administrators who can perform the following tasks:

Add users to or remove them from the sysadmin role.


Modify the Account Customization tab on the Settings page in Admin Portal.
Modify cloud connector settings in the Cloud Connectors tab on the Settings page in
Admin Portal.
These rights cannot be assigned to other roles.
Admin Portal administrative rights
The following table describes the administrative rights (also referred to as permissions) you
can assign to a role. Users cannot log in to Admin Portal unless they have at least one of the
following administrative rights.
If an administrator attempts to perform a task in Admin Portal for which they do not have
the associated administrative right, Admin Portal displays an error message. In addition,
Admin Portal does not display data if it’s not pertinent to the administrator’s privileges. For
example, if the administrator has the Application Management privilege only, Admin Portal
does not display any devices on the Devices page.
Administrative right
Associated permissions
Application Management
Access to any activities that originate on the Apps page, such as the
ability to add, modify, or remove applications. From the Application
Settings dialog box, this right also grants the ability to change which
roles are assigned to a specific application.
User Management
Permission to use the Add User and Bulk User Import buttons to add
users and modify Samsung SDS CellWe EMM user service user
properties.
Enroll Devices (Deprecated.
Use policy)
This permission has been deprecated. Do not use it.
To enable users to enroll devices you use the Device Enrollment
Settings—see “Device Enrollment Settings - Enabling users to enroll
devices” on page 96.
Chapter 8 • Managing roles
147

Creating cloud service administrators
Administrative right
Associated permissions
Device Management (Limited) Use of all the commands that originate from the Devices page except
the following:
All devices:
• Wipe Device
• Unenroll Device
Samsung devices only:
• Device Lockout
• Remove Container
The purpose of this permission is to provide limited device
management rights to, for example, helpdesk staff. This allows users
with this permission to help users but prevents them from performing
any destructive actions to a device or a container.
Device Management (All)
Use of all the commands that originate from the Devices page, such as
the ability to update policies, lock, reset the passcode, wipe, unenroll,
delete, or view device details.
Note: The user must have the Device Management permission to run
the APNS Certificate, Mass Deployment, and Exchange ActiveSync
Server Settings options on the Settings page in Admin Portal.
Read Only System
Administrator
Access to all of the Admin Portal tabs, however, the user cannot make
any changes. An error message is displayed when the user attempts to
save the change.
Register cloud connectors
Register a Samsung SDS CellWe EMM cloud connector in your cloud
service account.
During the cloud connector installation, the wizard prompts you to
enter the account of a user that has the Register cloud connectors
right. This must be a Samsung SDS CellWe EMM user service
account. Make sure the account you specify is a member of a role with
this permission.
If this is the only permission for a role, members can open Admin
Portal, however, the pages for all of the tabs except for Settings are
blank.
Purchase Management
Use KNOX Marketplace to purchase applications and assign it to
users.
Report Management
Create, delete, and run reports.
Role Management
Access to any activities that originate on the Roles page, such as the
ability to add, modify, or delete roles; this includes the ability to
assign rights.
To add administrative rights to a role:
1 In Admin Portal, click Roles.
2 Click the role.
3 Click Administrative Rights.
Cloud Manager user’s guide
148

Managing Samsung Marketplace roles
4 Click Add.
5 In the Add Rights window, click the check box for each right you want to add and click
Add.
6 Click Save.
To remove administrative rights from a role:
1 In Admin Portal, click Roles.
2 Click the role.
3 Click Administrative Rights.
4 Click the check box for the administrative rights you want to remove.
The Add button is replaced by an Actions button.
5 From the Actions drop-down menu, click Delete.
6 Click Save.
Updating a user rights
If a user who is affected by a change to the role’s administrative rights, the change does not
take affect until the user logs in again. If the user is logged in when you make the change,
the pre-existing rights persist.
Use the following procedure to update the user’s rights immediately.
To update a user’s administrative rights immediately:
1 In Admin Portal, click Users.
2 Select all of the affected users.
3 In the pop up window, click Reload.
Managing Samsung Marketplace roles
Samsung KNOX Marketplace is a web portal that allows organizations to purchase KNOX
licenses and cloud-based business applications. KNOX Marketplace is integrated with
CellWe EMM and the Admin Portal. You log in to Marketplace with your Samsung cloud
service credentials and can do so without entering a password if you are already logged into
CellWe EMM.
When you purchase a Marketplace application, you buy the number of licenses that you
need and identify the users who will have access to the application. You can manage access
to Marketplace applications in KNOX Marketplace only — not in the Admin Portal.
Chapter 8 • Managing roles
149

Managing Samsung Marketplace roles
However, an application that you purchase is automatically added to the Admin Portal Apps
page and to the Apps page in the User Portal for every user who has access to the
application. In addition, a Marketplace role is created for the application and added to the
roles page. A Marketplace role is in the form: knoxmarketplace_appName. For example, if
you purchased the Box application from KNOX Marketplace, the following role would
appear on the Roles page:
knoxmarketplace_box
Note the following similarities and differences between a Marketplace role and a standard
CellWe EMM role:

You can assign a number of administrative rights to the members of the role, if you wish,
though you do not need to do so. This is the same for each type of role.


A Marketplace role applies to a single Marketplace application. You can assign additional
App store applications to the role, but not another Marketplace application.
You cannot add members to the role from Admin Portal. If you want additional users to
have access to a Marketplace application, you must assign them in KNOX Marketplace.
The following procedure shows how to modify a Marketplace role that was created when
you purchased a KNOX Marketplace application. This procedure highlights the difference
between KNOX Marketplace roles and standard CellWe EMM roles.
To modify a KNOX Marketplace role:
1 In Admin Portal, click the Roles page.
2 Double-click the role to modify, for example:
knoxmarketplace_box
The details page for the role opens. Note that you cannot add members — there is no
Edit button for Members. If you want to add user access to an application, you must do
so in KNOX Marketplace.
3 To add rights, click Edit under Administrative Rights.
4 The Edit Permission window opens.
5 Click a right in the Available column (use Ctrl and Shift to multi-select) and click the
right arrow to move it to Selected.
6 Click OK.
7 To assign an application, click Edit under Assigned Applications.
The Edit Applications window opens.
8 Click an application in the Available column (use Ctrl and Shift to multi-select) and
click the right arrow to move it to Selected.
Cloud Manager user’s guide
150

Deleting roles
You cannot add another KNOX Marketplace application to a Marketplace role, so
the only available applications are web applications that you have added from the
Samsung App Catalog.
Note
9 Click OK.
10 Click Save.
Deleting roles
You can delete any role you created. You cannot delete the sysadmin and Everybody roles.
When you delete a role, the applications assigned to the role members are deleted from the
Apps page in the Samsung SDS CellWe EMM user portaland their devices.
To delete Samsung cloud service roles:
1 In Admin Portal, click Roles.
2 Select one or more roles.
The Add Role button is replaced by an Actions button.
3 From the Actions drop-down menu, click Delete.
4 Click Yes to confirm that you want to delete the role or roles.
Chapter 8 • Managing roles
151

Deleting roles
Cloud Manager user’s guide
152
Chapter 9
Managing customer cloud services
The Customers page lists the cloud services you have created for your customers and their
status. You use this page to perform the following tasks:

Create a new cloud service for an organization.

Disable and enable a cloud service.

Log in as a system administrator to a customer’s cloud service.
You must be a sysadmin or a member of a role that has the Customer Management
permission to view the contents of the Customers page and create, disable, and log in to a
customer’s cloud service.
The Customer page is only displayed in Admin Portal on Managed Service Provider
accounts. It is not displayed in customer accounts.
Note
This chapter contains the following topics:

“About customer cloud services” on page 153

“Creating an cloud service for a customer” on page 154

“Disabling and enabling a customer cloud service” on page 155

“Logging in to a customer cloud service” on page 156

“Creating roles that can create and manage customer cloud services” on page 156
About customer cloud services
A customer cloud service is a full implementation of the Samsung cloud service. The
customer identity platform has the following high-level features:

The customer’s cloud service has its own unique customer ID and login suffix.


The system administrators have full control over the users, apps, devices, roles, etc. in
their cloud service.
The user accounts, policy sets, roles, enrolled devices, etc. are unique to that cloud
service.
Only Managed Service Providers (MSPs) have the ability to create cloud services for
customers. Administrators for the customer’s cloud service, for example, cannot create
additional cloud services.
When you create an cloud service for a customer, a MSP administrator account—
[email protected]<new login suffix>—is created on the customer’s cloud service. This
153

Creating an cloud service for a customer
account lets you log in to the customer’s cloud service with full system administrator
privileges. This user account cannot be deleted.
Creating an cloud service for a customer
You create a cloud service for a customer from the Customers page in Admin Portal. Fully
preparing a cloud service for a customer is a two-part process:

First, you create the cloud service for the organization.

Second, you log in to it to configure the basic settings, create, minimally, a system
administrator account for the customer, and then invite that user to log in to their cloud
service.
Creating the cloud service
To create the account, you enter the email address and a user name, phone number, job
title, company, etc. for the customer. This person does not need to be an administrator and
does not have any special privileges in the new cloud service.
The login suffix in the email account is the default login suffix for new user accounts.
If that login suffix is already in use by another customer, it cannot be re-used, and the cloud
service automatically appends a number to make it unique. The full login suffix (that is, with
the number) then becomes the default login suffix for new user accounts in that cloud
service. You can create additional login suffixes by logging into the customer’s cloud service
and using the Login Suffix tab in the Settings tab in Admin Portal—see “Using login suffixes”
on page 195.
Note
The new cloud service is added to the Customers page. To continue the second preparation
phase, you log in to the new cloud service from this page.
To create a cloud service for an organization:
1 Open Admin Portal and click the Customers tab.
2 Click Create Customer.
3 Fill in all of the fields for the customer account.
4 Select an cloud service location.
Click the drop-down menu and select the cloud service location that is closest to the
organization’s offices.
5 Click Submit.
Cloud Manager user’s guide
154

Disabling and enabling a customer cloud service
Preparing a cloud service for customer take over
After you create an cloud service, it has only one account—mspadmin, the Default Policy
settings are applied to all users, and the General Options (see “Customizing cloud service
user interfaces” on page 177) are set to the default values. At this point, only you can log in
to Admin Portal for this cloud service.
Minimally, you should create one user account for the customer, add it to the System
Administrator role, and then invite that user to log in to the cloud service. You do this by
logging in to the cloud service you just created (see “Logging in to a customer cloud
service” on page 156) and then do the following:
1 Create an account for the customer’s IT administrator.
See “Adding Samsung SDS CellWe EMM user service accounts” on page 27 for the
details.
2 Add that account to the System Administrator role.
See “Creating cloud service administrators” on page 146 for the details.
3 Inviting the administrators to log in to their cloud service.
See “Sending invitations to users” on page 33 for the details.
The invitation logs the user in to the user portal. However, because the account is
a member of the System Administrator role, the user can open Admin Portal from the
user portal.
Note
Alternatively, you can more fully configure the cloud service for the customer. For
example, you can do the following to help the customer get started faster:

Customize the user interface with the customer’s colors and logo (see “Customizing
cloud service user interfaces” on page 177).


Modify the default policy set or create new policy sets (see “Managing policies” on page
91).
Add default web and mobile applications (see “Adding web applications by using Admin
Portal” on page 46 and “Adding and deploying mobile applications using Admin Portal”
on page 54).
Disabling and enabling a customer cloud service
By default, a customer’s cloud service is enabled when you create it. You can disable but you
cannot delete a customer’s cloud service. The current state of the cloud service is shown in
the Status column.
Disabling a cloud service has the following results:

You cannot log in to Admin Portal for the customer’s cloud service.
Chapter 9 • Managing customer cloud services
155

Logging in to a customer cloud service

The customer’s administrators cannot log in to Admin Portal.

The customer’s users cannot log in to the user portal.


On the users’ devices, the Samsung SDS CellWe EMM client remains installed,
however, single sign-on is not provided for the web applications.
If the customer installs cloud connectors, the cloud connector blocks all
communications with the cloud service.
The listing remains on the Customers page so that you can enable it again.
To disable a customer’s cloud service:
1 Open Admin Portal and click the Customers tab.
2 Click the customer’s check box.
3 Expand the Actions menu and click Disable.
To enable a disabled account, repeat the procedure and click Enable.
Logging in to a customer cloud service
When you log in to a customer’s cloud service from the Customers page, you are logged in
using the mspadmin account and have system administrator permissions.
When you log in to customer’s cloud service, the Admin Portal session is opened in a
separate tab. The top area of the new window displays the customer name to distinguish that
session from your own Cloud Manager session.
Note
To log in to a customer’s cloud service:
1 Open Admin Portal and click the Customers tab.
2 Click the customer’s check box.
3 Expand the Actions menu and click Login.
You are automatically authenticated to the customer’s Admin Portal using the mspadmin
account.
Creating roles that can create and manage customer cloud
services
Only members of the System Administrators role or a cloud service role that has the
Customer Management administrative right can view, create, disable or log in to customer
cloud services. You create roles and add administrative rights to them from the Roles page
in Admin Portal. See “Creating a role” on page 143 for the details.
Cloud Manager user’s guide
156

Creating roles that can create and manage customer cloud services
The Customer Management administrative right is only available on Managed Service
Provider accounts. For all other accounts, this administrative right is not displayed. For
example, the administrative rights available when your customer’s system administrator lists
the Administrative Rights does not include Customer Management.
See the procedure, “To create a role:” on page 143 to continue and then go to “Creating
cloud service administrators” on page 146 to add the administrative rights that allow the
user to log in to Admin Portal. To give a role the ability to create, disable, and log in to
customers’ cloud services, add the Customer Management administrator right to the
selected role.
Chapter 9 • Managing customer cloud services
157
Chapter 10
Managing reports
You can create reports to find out specific information about your cloud data and then share
that information with other Samsung cloud service administrators. A report is a SQL query
against your cloud database tables and the results that the query generates. You can create
reports as a way to find out specific information about your cloud data: applications,
devices, users, roles, cloud connectors, and so forth.
You can use the default, built-in reports, or you can search for specific kinds of data by
building your own report queries. You can also share reports with your other cloud service
administrators.
This section includes the following topics:

“What’s in the Report Library” on page 158

“Reports provided in Admin Portal” on page 159

“Access to shared reports and report data” on page 159

“Selecting report data” on page 160

“Working with reports” on page 166

“Report query examples: Built-in report definitions” on page 169

“Report syntax examples” on page 171
What’s in the Report Library
Use the Reports page to view, create, and share your reports. When you click Reports, the
page opens to the My Reports folder. This folder lists all of the reports you have created. If
you have not created any reports of your own, you might want to start by browsing through
the predefined reports provided in the Builtin Reports folder and its subfolders. For
example, if you expand the Builtin Reports folder and select the Mobile subfolder, you
would see a list of the prebuilt reports for mobile devices.
Admin Portal provides the following folders to store reports:
Builtin Reports: Admin Portal provides some prebuilt reports in this folder. You can
copy these reports into your My Reports folder or the Shared Reports folder. After you
copy a report to another location you can then modify the report.
My Reports: When you create a new report or modify a report, Admin Portal saves it
here. You can also copy built-in or shared reports to this folder so that you have all the
reports that you use in one place. Only you can see the reports in your My Reports folder.
158

Reports provided in Admin Portal
Shared Reports: To share reports with other administrators, you move or copy the
reports here.
Reports provided in Admin Portal
Admin Portal provides built-in reports for applications, mobile devices, resources, and
security. The reports are organized into subfolders. You can browse the subfolders in the
top-level Built-in Reports folder to see the reports that Admin Portal provides.
These built-in reports demonstrate the kinds of data you can gather and display in your
reports.
What you can do with a report and whether or not you can modify it depends on where the
report is. You can modify, export, copy, move, or delete reports in the My Reports folder.
You can export or copy reports in the Built-in Reports folder.
Exporting a report creates a file on your computer; you can specify either CSV or Microsoft
Excel format. Copying a report duplicates the report into another reports folder.
Access to shared reports and report data
When you view a report, you can only read the data that you have permission to access. If
you don’t have read permission to a particular kind of data, such as applications, devices, or
users, then the report doesn’t display that information for you. (Permissions are granted to
roles by the sysadmin—see “Assigning applications to and removing them from roles” on
page 145 for the details.
The report doesn’t indicate any limitations to that user’s permissions. This means that
people with different permissions can view the same report but see different results.
Note
You can share any report in the Shared Reports folder. Sharing a report involves assigning it
to specific roles and also to the folder(s) that contain the report.
When you assign a report or a report folder to a role, you also specify the level of access
that the role has—read access, read and write access, or owner access. If you specify a role
as an owner of a report or a report folder, then that role can modify, rename, share, or
delete the report.
There are three kinds of access permission for reports:

The level of access to the report definition

Access to the data that is read by the report

Access to the folder that contains the report
The report access level determines whether you can read, copy, modify, or share the report
definition.
Chapter 10 • Managing reports
159

Selecting report data
You can create reports in the Shared Reports folder, or you can copy reports from either the
My Reports or Builtin Reports folders into the Shared Reports folder.
When you modify a report in the Shared Reports folder, you can also assign the report to
roles. When you assign the report to a role, you also specify what the administrators in that
role can do with the report by specifying either the Read, Read and Write, or Owner
access. You also specify similar levels of access for the report folders.



Read: Administrators can view and copy the report, but they cannot modify it, move it,
or share it.
Read and Write: Administrators can view, copy, move, and modify the report.
Owner: Administrators can view, copy, move, and modify the report. Administrators
can also grant other administrators access to the report.
At the minimum, you need to assign administrators to a role with at least the Read Only
System Administration permission to enable them to view built-in and their own reports.
In order to share reports, you need to assign administrators to a role with Report
Management permission.
However, you also need to grant administrators access to the types of data that you want
them to view in the report. Administrators do not see report data for which they do not
have permission to view.
Administrators can always view report data related to their own mobile devices.
For example, if an administrator has the Application Management permission but not the
Device Management permission, when that administrator opens a report that generates
both application and device results, the administrator sees only the application data.
Selecting report data
You can open the data dictionary to see the tables and column names that you can use in
your reports. When you create a report, you open the Data Dictionary by clicking the >>
button in the upper right area of the screen.
With the Data Dictionary visible, you can find the column names in a particular table by
clicking the triangle next to a table name. The Data Dictionary provides table names,
column names, and data types so that you know what to enter in your SQL query.
Cloud Manager user’s guide
160

Selecting report data
Although there are other tables in the database that you can use in your reports, the tables
mentioned below are likely to be the most useful to you.




ADUser: The Active Directory User table stores some basic information related to
users, such as SamAccountName, UserPrincipalName, Mail, and so forth.
Application: Stores information related to web and mobile applications, such as web
application type, mobile application type, application version, and so forth.
Device: Stores information related to mobile devices, such as operating system version,
jailbroken status, and when the device last connected with the cloud service
Event: Stores activity information related to applications, devices, and users, such as
counts for application launches, logins, device types, and so forth.
When creating queries with the Event table, you must specify a time boundary. There
are too many records in the Event table to query all records. For details, see “Filtering events
by time with DateFunc()” on page 162.
Note
Report query syntax
Creating the query for a report involves using SQL statements. SQL is a Structured Query
Language for retrieving data from databases. SQL statements can be simple or complex,
depending on the data that you want to find and how you want it to display. The key is to
know what you want to see in your report, and understanding what kind of data is available
to you.
For example, here’s a simple SQL statement:
SELECT Owner FROM Device
This query looks for the listed owners of enrolled mobile devices, as recorded in the Owner
column of the Device table.
Chapter 10 • Managing reports
161

Selecting report data
The main component of a SQL query is the SELECT statement. SELECT does just that - it
selects which data to display. You can select one or more columns from one or more tables
to retrieve. You can use any of the following SELECT statements in Admin Portal report
queries:

SELECT: Selects data from the specified columns in the specified tables.

SELECT *: Selects all records from the specified table.

SELECT DISTINCT: Selects the unique records from the specified columns in the
specified tables. The DISTINCT keyword trims out the duplicate records.
If you want to look at columns in different tables, you can also combine the results by using
UNION or one of the JOIN statements.
In addition to selecting the database tables to retrieve, you can also provide conditions to
further refine your query results. You can use any of the following SQL statements to
specify conditions:

AND / OR: Selects data that meets both conditions (AND) or one of the specified
conditions (OR).

BETWEEN: Use BETWEEN to select results that are within a specified range.

IN / NOT IN: Use IN or NOT IN to specify multiple values in a WHERE clause.

LIKE: Use LIKE to search for a specified pattern in a column.

WHERE: Use WHERE to specify criteria to filter for, such as column values and so
forth.
Admin Portal uses a subset of SQL-92 that only supports SELECT statements. SQL
commands that change database values are not valid (CREATE, ALTER, DELETE, DROP,
INSERT, SELECT INTO, TRUNCATE, UPDATE, and so forth).
Note
Filtering events by time with DateFunc()
When you query the Event table, you must include a time boundary to limit your query
results. Admin Portal provides a DateFunc() SQL function to filter events based on time.
Description
SQL Query
Events that occurred in the last 30 days
select WhenOccurred, FailUserName,
FromIPAddress from event
where EventType = 'Cloud.Core.LoginFail'
and whenoccurred >= DateFunc('now','-30')
Events that occurred in the last 24 hours
Cloud Manager user’s guide
Select WhenOccurred,EventType from Event
where WhenOccurred > datefunc('now', '-1')
162

Selecting report data
Description
SQL Query
Events that occurred in the last 48 hours
Select * from Event where WhenOccurred >
DateFunc('now', '-2')
Events that occured in the last 54 hours
Select * from Event where WhenOccurred >
DateFunc('now', '-2.06:00')
Events that occurred on or before August 7, Select * from Event where WhenOccurred >
"08/07/2013"
2013
Events that occurred yesterday
select eventtype,WhenOccurred from event
where whenoccurred>datefunc('now', '-3')
and whenoccurred < datefunc('now', '-2')
DateFunc Syntax
Use the following syntax:
Datefunc( <stringdate>, [<offset>])
where
<stringdate>
can be one of the following three options:
- this means now (current time)

'now'

'today'

<date string>
<offset>
- this means the start of today (current day)
- a string that represents time, such as ‘-2.06:00’.
is a string representing an offset.
means minus n days

-n

-5:00
means minus 5 hours
Note The Samsung cloud service operates using UTC time and displays in local time. So,
“today” means the start of today according to UTC time, and ‘3:15’ means 3:15 today in
UTC time. For example, if you specify ‘3:15’ while you’re in California during Daylight
Savings Time, you’re actually specifying 8:15 am UTC time.
Formatting dates to strings with Formatdate()
You can use the Formatdate() function to convert a date to a string. Use the following
syntax:
formatdate(<date>, <format_string>)
For example, to extract the month number from a date, use the following syntax:
formatdate(<date>,”MM”)
If you process a date in November through the above example, it returns an “11” to indicate
November.
Chapter 10 • Managing reports
163

Common events that you can search for
Selecting location data
You can also include a geographic map of logins or devices where it displays the last known
location. Location data for a device is encrypted, but you can extrapolate it from the IP
address. Keep in mind, however, that location data is accurate to within about 50 miles—
the locations are not precise.
Use the IpLookup() function to convert IP address data to geographical data, with the
following syntax:

Iplookup(<ipaddress>, ‘country|country_code|longitude|latitude|city’)
For example, the following report query returns the locations of failed logins within the last
30 days.
select
iplookup(FromIPAddress,'longitude') as Longitude,
iplookup(FromIPAddress,'latitude') as Latitude,
FailUserName || ' - ' || formatdate(whenoccurred , 'G')
as Name from event
where eventtype='Cloud.Core.LoginFail'
and whenoccurred > datefunc('now', -30) limit 1000
In order for a report to display results in a geographical map, you must select the option
“Report can be displayed on a map” and also include the following column labels in your
report query:

Latitude

Longitude

Name (this is any string value; it’s used to label a location on the map)
Note
Map view is not available in reports preview mode.
Note
Country names and city names are in English.
Common events that you can search for
When collecting information from the Event table, you specify types of events that you
want to have in your report. Here’s a list of the most common types of events that you
might see in the Event table.
Cloud.Saas.ApplicationLaunch
Cloud.Saas.Application.AppLaunch
Cloud.Saas.Application.AppAdd
Cloud.Saas.Application.AppModify
Cloud.Saas.Application.AppDelete
Cloud.Saas.Application.SamlResponseGenerate
Cloud Manager user’s guide
164

Common events that you can search for
Cloud.Saas.Application.WsFedSamlResponseGenerate
Cloud.Saas.ProfileUpdate
Cloud.Saas.PasswordChange
Cloud.Core.Login
Cloud.Core.Login.MultiFactorChallenge
Cloud.Core.Login.MultiFactorChallenge.MultiFactorResponse
Cloud.Core.LoginFail
Cloud.Core.Logout
Cloud.Core.SamlTokenValidate
Cloud.Core.SamlTokenValidateFail
Cloud.Core.Access.Role.Create
Cloud.Core.Access.Role.Edit
Cloud.Core.Access.Role.Delete
Cloud.Core.Access.CheckRightsFailure.Table
Cloud.Core.Access.CheckRightsFailure.Table.Row
Cloud.Mobile.Enroll
Cloud.Mobile.StateChange
Cloud.Mobile.AppChange
Cloud.Mobile.DeviceAction
Cloud.Mobile.Device.DeviceAction
Cloud.Mobile.Device.AppChange
Cloud.Mobile.Device.StateChange
Cloud.Mobile.Device.Enroll
Cloud.Mobile.GpChangeDetected
Chapter 10 • Managing reports
165

Working with reports
Working with reports
When you open a report, use the Actions menu to invoke the following commands: .
Action menu command
To do this
View
Display the reports details and set the following properties:
• Report can be displayed on a map
• Validate report on save
The details include the report name, description, and SQL query.
You can generate a preview of the results in this option too.
Export Report
Save the SQL script in a CSV or Excel spreadsheet file.
Email
Send the query results to an email account. You can send the data as an
Excel spreadsheet or HTML table.
Copy
Copy the report to your My Reports or Shared Reports folder.
Viewing reports
When viewing a report, you can click any column heading to sort by that column. You can
also click and drag a column heading to move it and adjust the column widths.
To view a report:
1 In the Reports page, select a report folder.
By default when you first open the Reports page it opens to your “My Reports” folder.
2 Navigate to a report and click it to open it.
3 Expand the Actions menu and click View.
Some reports offer two viewing options: Mapped Reports and Reports. Select
Mapped Reports to view the data on a geographical map or Reports to view the data in
rows and columns.
Note
Modifying applications or devices directly from a report
If your report includes web applications or devices in the report results, you can click a
specific application or device to see the details for that object. This works when a specific
object (device ID or application name) displays in the result set, not a grouping of objects.
For example, if you create a report that lists a mobile device ID, you can right-click the
Device ID and perform device-related actions - such as delete, update policies, unenroll,
and so forth.
Cloud Manager user’s guide
166

Working with reports
Exporting report data
When viewing report results, you can select one or more rows and export the results to a
CSV or Microsoft Excel file.
Creating a new report
To create a new report:
1 In the Reports page, click New Report.
2 Enter the report name and description.
Names can contain letters, numbers, and underscores. Do not include special characters
or white space.
3 In the Query text box, enter SQL statements to populate your report.
4 To open the Data Dictionary and locate the available table and column names, click the
<< button in the upper right corner of the dialog box. (Click >> to close the Data
Dictionary.)
Folders represent tables, and the items within each folder are the table columns.
5 Click Preview to see what results your query produces.
Note
Preview mode does not support map views.
6 Continue editing the SQL statement and clicking Preview until you get the data that
you’re looking for.
7 If your query includes geographical data for a map, select Report can be displayed
on a map.
8 Click Save.
Admin Portal saves your report in the My Reports folder.
Copying an existing report
To copy an existing report:
1 In the Reports page, navigate to the report that you want to copy.
You can copy any report in any folder that you have access to.
2 Right-click the report and click Copy.
3 Select the folder where you want to copy the report to.
You can copy reports to either My Reports or Shared Reports.
4 Enter the name of the new report, and click Save file.
Chapter 10 • Managing reports
167

Working with reports
Admin Portal saves a copy of the selected report in the specified location with the
specified name.
Sharing a report and granting report access
You share a report by assigning it to one or more roles, and giving each role either Read,
Read and Write, or Owner level of access. Before you can share a report, you must move or
copy it to the Shared Reports folder.
You must have the Report Management permission in order to copy reports in the Shared
Reports folder.
To share a report:
1 Make sure that the report is in the Shared Reports folder.
2 Right-click the report and click Modify.
The Report Settings dialog box opens.
3 Click the Role Access tab.
4 Select the roles that define who should get access to the report.
5 For each role, specify the level of access: Read, Read and Write, or Owner.
6 Click Save.
Administrators assigned to the designated roles can now access the report as specified.
Deleting a report
You can delete a report in the Shared Reports or My Reports folders.
To delete a report:
1 Right-click the desired report and click Delete.
You can also select multiple reports and click Delete in the pop-up menu.
2 In the confirmation dialog box, click Yes.
Admin Portal deletes the specified report.
Creating a new report folder
You can create new folders in the Shared Reports or My Reports folder. You can grant
access to folders in the Shared Reports folder.
To create a report folder:
1 Right-click either the Shared Reports or My Reports folder and click New Folder.
Cloud Manager user’s guide
168

Report query examples: Built-in report definitions
2 Enter the folder name.
3 Click Save new folder.
Admin Portal creates the new folder.
Granting access to a report folder
You can modify who has access to the Shared Reports folder or any its subfolders that you
create. Granting access to a folder grants access to open the folder; you specify access to the
reports in that folder separately.
To grant access to a shared reports folder:
1 Right-click the Shared Reports folder and click Modify.
2 Select the desired roles for whom you want to grant report folder access to.
3 For each role that you select, specify the report access level.

Read

Read and Write

Owner
4 Click Save.
Admin Portal saves the changes.
Report query examples: Built-in report definitions
Admin Portal provides some built-in reports that you can use or copy and then modify as
desired. You can view the SQL statements for any of the built-in reports in Cloud Manager.
For convenience, here are some examples of the report definitions for several of the built-in
reports so you can see examples of the SQL syntax being used.
Report description
Query syntax
Web apps used the most often
during the last 30 days
select ApplicationName as Name,
count(*) as Count from Event
where WhenOccurred >= DateFunc('now', '-30')
and EventType='Cloud.Saas.Application.AppLaunch'
group by name order by count desc
Web apps added and used in the last select distinct ApplicationName from Event
30 days
where eventtype='Cloud.Saas.Application.AppLaunch'
and ApplicationName in
(select applicationname from event where whenoccurred
>datefunc('now','-30') and
eventtype='Cloud.Saas.Application.AppAdd'
Chapter 10 • Managing reports
169

Report query examples: Built-in report definitions
Report description
Query syntax
Web apps that weren't used in the
last 30 days
select Name from application where DisplayName not in
(select ApplicationName from Event
where WhenOccurred >= DateFunc('now', '-30')
and EventType='Cloud.Saas.Application.AppLaunch')
and AppType = 'Web'
A listing of the different Android
versions in use
select OSVersion,Count(*) as Count
from device where InternalDeviceType = 'A'
group by osversion order by count desc
Number of devices, organized by
mobile carrier
select Carrier, count(*) as Count from device
Number of devices, organized by
iOS, Mac, Android, and Windows
select case(InternalDeviceType)
group by Carrier
when 'I' then 'iOS'
when 'M' then 'Mac'
when 'A' then 'Android'
when 'W' then 'Windows'
end as Platform, Count(*) as Count from device
group by InternalDeviceType order by Count
desc","DisplayName":"DeviceByPlatform
A listing of the different iOS
versions in use
select OSVersion,Count(*) as Count
from device where InternalDeviceType = 'I'
group by osversion order by count desc
All mobile apps, organized by the
number of installations
select Name, Count(*) as Count from InstalledApp
group by name
order by count desc
Failed logins in the last 30 days
select WhenOccurred, FailUserName, FromIPAddress from event
where EventType = 'Cloud.Core.LoginFail'
and whenoccurred >= DateFunc('now','-30')
Users who haven't logged in during select UserName, DisplayName, LastLogin from User where ID
not in
the last 30 days
(select UserGUID from Event
where EventType = 'Cloud.Core.Login'
and WhenOccurred >= DateFunc('now', '-30'))
The users who have logged in the
most often during the past 30 days
select NormalizedUser as User, Count(*) as Count from Event
where EventType = 'Cloud.Core.Login'
and WhenOccurred >= DateFunc('now', '-30')
group by User
order by count desc
Cloud Manager user’s guide
170

Report syntax examples
Report syntax examples
SQL statements to retrieve data from tables and columns (basic)
SQL Statement
Syntax
Example Statement
Example Result or
Description
SELECT
SELECT column_name(s)
FROM table_name
select Name from
application
Use SELECT to get the data
in one or more columns of a
table.
SELECT *
select * from ADGroup
Use SELECT to get all
records from a table.
select distinct
ApplicationName from
Event
Use SELECT DISTINCT to
return just the values that are
unique (distinct). Duplicate
values are ignored.
SELECT *
FROM table_name
SELECT DISTINCT
SELECT DISTINCT
column_name(s)
FROM table_name
UNION (ALL)
SELECT column_name(s)
FROM table_name1
Use the UNION statement
to combine result sets of two
or more SELECT
statements. Only distinct
values are returned. To
return all values, including
duplicate values, use
UNION ALL.
UNION
SELECT column_name(s)
FROM table_name2
SQL components to specify conditions
SQL Statement
AND / OR
Syntax
Example Statement
Example Result or
Description
SELECT column_name(s)
select WhenOccurred,
FailUserName,
FromIPAddress from
event
Use AND to combine
conditions - results display
if the database record meets
both conditions.
FROM table_name
WHERE condition
AND|OR condition
BETWEEN
SELECT column_name(s)
(advanced)
FROM table_name
WHERE column_name
BETWEEN value1 AND
value2
where EventType =
'Cloud.Core.LoginFail' Use OR to show results that
and whenoccurred >=
DateFunc('now','-30')
meet either the first or
second condition.
select
OSVersion,Count(*) as
Count
Use BETWEEN to select
results that are within a
specified range.
from device where
InternalDeviceType =
'I'
and OSVersion between
'6' and '7'
group by osversion
order by count desc
Chapter 10 • Managing reports
171

Report syntax examples
SQL Statement
Syntax
Example Statement
IN / NOT IN
SELECT column_name(s)
select UserName,
Use IN to select results
DisplayName, LastLogin where a column name is one
from User where
of a specified list of values
username not in
FROM table_name
WHERE column_name
IN (value1,value2,..)
(select NormalizedUser
from Event
Example Result or
Description
(or not).
where EventType =
'Cloud.Core.Login'
and WhenOccurred >=
DateFunc('now', '30'))
LIKE
SELECT column_name(s)
FROM table_name
WHERE column_name LIKE
pattern
CASE
CASE X
(WHEN... THEN, END)
WHEN W1
THEN T1
WHEN W2
THEN T2
ELSE T3
END
To evaluate the base
expression multiple times:
CASE
WHEN X=W1
THEN T1
WHEN X=W2
Select * from Users
where username like
‘j%’
returns all users whose
names begin with J
Use LIKE to select results
that match a specified
pattern.
Use s to indicate the pattern.
Use % for zero or more
characters, and use _
(underscore) for a single
character.
SELECT
Use CASE when you want
CASE(InternalDeviceTyp to do an if/then/else
e)
statement.
WHEN 'I' THEN 'iOS'
WHEN 'M' THEN 'Mac'
WHEN 'A' THEN
'Android'
You can specify to have the
base expression evaluated
once or multiple times.
WHEN 'W' THEN
'Windows'
END as Platform,
Count(*) as Count from
device
GROUP BY
InternalDeviceType
ORDER BY Count desc
THEN T2
ELSE T3
END
WHERE
SELECT column_name(s)
FROM table_name
WHERE column_name
operator value
select ApplicationName Use WHERE to specify the
as Name, count(*) as
condition, such as a column
Count from Event
name value.
where WhenOccurred >=
DateFunc('now', '-30')
and
EventType='Cloud.Saas.
Application.AppLaunch'
group by name order by
count desc
Cloud Manager user’s guide
172

Report syntax examples
SQL components to specify sorting, displaying, grouping
SQL Statement
Syntax
Example Statement
Example Result or
Description
AS (alias)
SELECT column_name AS
column_alias
FROM table_name
select Carrier,
count(*) as Count from
device
or
group by Carrier
Use AS if you want to
provide a different label for
a column in the report
results.
SELECT column_name
FROM table_name
table_alias
GROUP BY
ORDER BY
AS
SELECT Carrier,
count(*) AS Count from
device
select Carrier,
count(*) as Count from
device
GROUP BY Carrier
group by Carrier
SELECT column_name(s)
select Name, Count(*)
as Count from
InstalledApp
FROM table_name
ORDER BY column_name
[ASC|DESC]
Use GROUP BY to organize
the report results by a
specified column value.
Use SORT BY to sort the
report results by a specified
column value.
group by name
order by count desc
SQL Function examples
SQL Statement
Syntax
HAVING
SELECT column_name,
aggregate_function(col
umn_name)
FROM table_name
WHERE column_name
operator value
Example Statement
Example Result or
Description
Use HAVING to specify
conditions when using SQL
aggregate functions. (Use
instead of WHERE for
aggregate functions.)
GROUP BY column_name
HAVING
aggregate_function(col
umn_name) operator
value
AVG()
Chapter 10 • Managing reports
SELECT
AVG(column_name) FROM
table_name;
Use AVG() to calculate the
average value of the nonnull records in the specified
column.
173

Report syntax examples
SQL Statement
Syntax
Example Statement
COUNT()
SELECT
COUNT(column_name)
FROM table_name;
select ApplicationName COUNT (Column_name)
as Name,
returns the number of noncount(*) as Count from
Event
Example Result or
Description
null values in the specified
column.
where WhenOccurred >=
COUNT (*) returns the
DateFunc('now', '-30')
number of records in a table.
and
EventType='Cloud.Saas. COUNT (Distinct
Application.AppLaunch' column_name) returns the
group by name order by
count desc
MAX()
MIN()
SELECT
MAX(column_name) FROM
table_name;
SELECT
MIN(column_name) FROM
table_name;
Cloud Manager user’s guide
number of distinct values in
the specified column.
Use MAX() to return the
maximum value of all
values in the group.
Use MIN() to return the
minimum, non-null value of
all values in the group. The
results include null values
only if there are no non-null
values.
174
Chapter 11
Configuring cloud service settings
You use the Admin Portal Settings page to configure the following Samsung cloud service
options. Before you develop your cloud service deployment plan, review these options.
Some of them may be necessary to support certain mobile devices (for example, the Apple
Push Notification Service certificate for iOS devices and Samsung KNOX Workspace
license key for Samsung KNOX Workspace devices) while others are optional (Account
Customization and Exchange ActiveSync Server Settings).
Modifying a setting requires specific Admin Portal administrative rights.The third column
lists the required rights. To learn more about the roles and rights required to make these
changes see “Assigning applications to and removing them from roles” on page 145.
Setting
Why you use this setting
Role or rights needed to
modify these settings
Account Customization
Customize the user portal and Admin Portal login prompts Sysadmin role
and email messages to incorporate your organizations brand
and logos. See “Customizing cloud service user interfaces”
on page 177.
APNS Certificate
Get an Apple Push Notification Service (APNS) certificate
so users can enroll iOS-based devices. See “Generating an
APNS certificate” on page 190.
Device Management rights
or Sysadmin role
Notes:
• You must upload an APNS certificate to Admin Portal
before users can enroll these devices.
• If the certificate expires, users cannot enroll devices and
enrolled iOS devices have service restrictions.
Apple Configurator
Install a base security policy on iOS devices to pre-configure Device Management rights
the mobile device manager and simplify device enrollment. or Sysadmin role
See “Preparing iOS devices for mass deployment” on page
187.
Apple DEP Configuration Add your Samsung cloud service account as an MDM server Sysadmin role
in the Apple Device Enrollment Program, upload token, and
set the initial enrollment profile.
See “Linking to the Apple Device Enrollment Program” on
page 198.
Cloud Connectors
Display the list of Samsung SDS CellWe EMM cloud
connectors, configure Integrated Windows Authentication
settings, and add or delete a Samsung SDS CellWe EMM
cloud connector.
Sysadmin role to modify all
settings
Register proxies permission
to add a cloud connector
See “Configuring cloud connectors” on page 181.
175

Setting
Why you use this setting
Role or rights needed to
modify these settings
Corporate IP Range
Specify the public IP addresses you want to include within Sysadmin role
the corporate intranet. The Samsung cloud service uses these
addresses for Integrated Windows Authentication and
application multifactor authentication.
See “Setting Corporate IP ranges” on page 200.
Device Policy
Management
Select either Active Directory group policy or the Samsung
SDS CellWe EMM policy service as the source for mobile
device policies.
Sysadmin role
If you use the Samsung SDS CellWe EMM policy service
you also use this tab to select the default Active Directory
certificate service or the Samsung SDS CellWe EMM cloud
CA to generate user certificates.
See “Selecting the policy service for device policy
management” on page 201.
Directory Services
Add LDAP as your directory service and view existing
configured directory services.
Sysadmin role
See “Adding LDAP as a Directory Service” on page 185.
Exchange ActiveSync
Server Settings
Configure the cloud service to block email access for devices Device Management rights
that are not enrolled.
or Sysadmin role
See “Enabling email quarantining” on page 185.
Idle User Session Timeout Enable a timeout and set the time period to log out inactive
users from Admin Portal and Samsung SDS CellWe EMM
user portal.
Sysadmin role
See “Enabling automatic log out from the Samsung SDS
CellWe EMM user portal and Admin Portal” on page 195.
Licenses
View your Samsung KNOX licenses and add to them. See
“Managing your Samsung KNOX licenses” on page 194
Sysadmin role
Login suffix
Create a list of the login suffixes (the name that follows @ in Sysadmin role
the full user name) that users enter to log in to Admin Portal
and the Samsung SDS CellWe EMM user portal and enroll
devices. Users that do not have a login suffix in this list
cannot log in to the portals or enroll a device.
See “Using login suffixes” on page 195.
Cloud Manager user’s guide
176

Customizing cloud service user interfaces
Setting
Why you use this setting
Role or rights needed to
modify these settings
Mobile Device
Management
Select whether you use Samsung cloud service for mobile
device management or single sign-on only.
Sysadmin role
If you select the Samsung cloud service for mobile device
management and you have devices that have the Universal
Mobile Device Management Client (UMC), you can also
enable a service that synchronizes the login suffixes you
create with the Samsung Enterprise Gateway.
See “Configuring mobile device management or single signon only” on page 205.
Provisioning
Run application user provisioning synchronization,
configure the provisioning report options, and specify daily
synchronizations.
Sysadmin role
See User provisioning overview in the Application
Configuration help for the details.
Customizing cloud service user interfaces
You use the Account Customization option to change the background color and images
displayed in your organization's Samsung SDS CellWe EMM user portal and Admin Portal
login prompts. In addition, you use this tab to specify the company name in your
organization's implementation of the Samsung SDS CellWe EMM clients and specify the
welcome screen text and company logo displayed when a user enrolls an iOS device.
You can restore the defaults for most options by clicking the Reset button. The exception is
the Account Name field—Reset does not change this field’s contents.
The first time a user logs in to the user portal or Admin Portal, the default colors might
be displayed. However, as soon as they complete user authentication—and in each
subsequent login—the customized colors and images are displayed.
Note
Chapter 11 • Configuring cloud service settings
177

Customizing cloud service user interfaces
The following properties are available for customizing:
Property
General Options
Device
Enrollment
options
Cloud Manager user’s guide
To do this
Portal ribbon color
Set the color for the narrow banner across the top of the
login prompts.
Enter the color’s hexadecimal color number or use the Select
Color drop-down list to specify the color. Do not use RGB
values to specify the color.
Login Image
Change the image that appears in the login prompts. Click
the Browse button to select the image file.
The image size is 137 pixels wide by 35 pixels high. Admin
Portal automatically scales the image you upload to these
dimensions, using the height as the base property. If your
image cannot be scaled down exactly to 137x35, Admin
Portal crops the width to be consistent with the equivalent
aspect ratio.
Portal Image
Change the image in the user portal and Admin Portal
banners. Click the Browse button to select the image file.
The image size is 160 pixels wide by 36 pixels high. Admin
Portal automatically scales the image you provide to these
dimensions, using the height as the base property. If your
image cannot be scaled down exactly to 160x36, Admin
Portal crops the width to be consistent with the equivalent
aspect ratio.
Welcome Text
Enter the text to display in the welcome screen when a user
enrolls an iOS device. The text is only displayed in the iOS
version of the Samsung SDS CellWe EMM clientwhen the
user enrolls the device.
The Welcome Text is not used when users enroll an Android
device.
Company Name
Enter the name of your organization as you want it to appear
on the Samsung SDS CellWe EMM client. The Account
Name is displayed just above the user name in the
application’s home screen.
Company logo
Browse to and select the logo displayed on the welcome
screen when the user enrolls an iOS device.
Admin Portal automatically scales the image you provide to
a square. If the image is not square, it crops the image from
the left side, removing pixels from the right side.
The company logo is not used when the user enrolls an
Android device.
178

Customizing cloud service user interfaces
Property
To do this
Email
customization
Click the option to modify the letter sent for each
MFA Challenge
communication with end users
Device Enrollment
Bulk User Import
Report
Invite User
Invite User with OTP
Email
Company logo
Browse to and select the logo displayed in the email
messages.
Configuring the Cloud Manager and Samsung SDS CellWe
EMM User Portal login screens
To configure the Admin Portal and the User Portal windows and portal login screens:
1 In Admin Portal, click Settings.
2 Click Account Customization.
3 Select the Portal Ribbon Color.
To select a specific color, enter the color’s hexadecimal color code. Do not enter the
color’s RGB value.
To use a pre-configured color, click the Select Color drop-down list and select the color.
4 Browse to and select the image file for the Login Image and click Open.
5 Browse to and select the image file for the Portal Image and click Open.
6 Set the company name displayed in the Samsung SDS CellWe EMM client home screens.
In the Company Name field, enter the name you want to appear.
7 Click Save to exit.
Configuring the device welcome and home screens
To configure the device’s welcome screen properties and home screen company name:
1 In Admin Portal, click Settings.
2 Click the Account Customization tab.
3 Enter the text that you want to appear in the welcome text in the Samsung SDS CellWe
EMM clientwhen the user enrolls the device.
You can enter up to 2048 characters.
Chapter 11 • Configuring cloud service settings
179

Customizing cloud service user interfaces
4 Fill in the Company Name field with the name you want displayed in the home screen
in the Samsung SDS CellWe EMM client.
5 Browse to and select the image file for the Company Logo and click Open.
6 Click Save to exit.
Customizing the email messages contents and logos
The cloud service uses email messages to simplify login and device enrollment for users. In
addition, it sends an email after you use bulk enrollment to indicate the results. You can
customize the wording and styles for all of these email messages.
To modify a message scroll down to Email Customization and double-click the template.
The pop up window has two tabs:

Preview: Shows the message as it will appear to the reader.

Script Editor: Contains the html tags and content. Use this tab to change the wording
and modify the text styles.
Click OK to save your changes.
Notes


To restore the template to its original content, right-click the template and click Reset.
Click the Browse button underneath Email Image to upload a logo or other image to
replace the <img src> in the template.
The templates are used for the following events:
Template Name
Used for this purpose
MFA Challenge
An email message sent to users when they log in to the user portal or
Admin Portal when you enable authentication policy controls and
select “Email Confirmation code” as one of the multifactor
authentication options (see “Authentication - Setting authentication
policy controls” on page 98).
When users get this email, they click “here” to supply the second
factor and complete the log in. Do not change href='{AuthLink}'.
Device Enrollment
An SMS message sent to the user’s mobile phone number to help
them enroll the device in the cloud service when you Invite users and
select “Send SMS invites for device enrollment” (see “Sending
invitations to users” on page 33)
When users get this message on their phone, the click the link to
download and install the Samsung SDS CellWe EMM client. Do not
change {EnrollLink}.
Cloud Manager user’s guide
180

Configuring cloud connectors
Template Name
Used for this purpose
Bulk User Import Report
An email message sent after a bulk enroll that indicates how many
accounts were created out of the total requested and lists the names
from the file for whom accounts could not be created (see “Bulk
import user accounts” on page 30).
Do not change {CreatedUsers}, {TotalUsers}, or
{FailedSummary}.
Invite User
An email sent to the users you selected in the Invite users procedure to
simplify logging in to the user portal (see “Sending invitations to
users” on page 33).
Note: This message is sent only to users who have an Active
Directory/LDAP account.
This message uses the user’s company account (that is, Active
Directory/LDAP) credentials to authenticate the user. Do not change
href='{LoginLink}'.
Invite User with OTP
An email sent to the users you selected in the Invite users procedure to
simplify logging in to the user portal (see “Sending invitations to
users” on page 33). The user can also use this message to enroll a
device.
Note: This message is sent only to users who have a cloud service user
service account.
This message contains the users’ user service account name and uses
it and a a one-time passcode to authenticate the user. If the user
chooses enroll a device, the link takes them to the Add Device screen
in the user portal.
Do not change the following:
• login name: {UserName}
• href='{LoginLink}'
• href='{UploadLink}'
Configuring cloud connectors
The Cloud Connectors tab lists the Samsung SDS CellWe EMM cloud connectors you have
installed. You right-click an entry to perform the following operations:

Ping the cloud connector. This confirms that the Samsung SDS CellWe EMM User Suite
can communicate with the cloud connector.


Enable and configure or disable the web server—see “Configuring the Web Server” on
page 182.
Delete the cloud connector—see “Deleting a cloud connector” on page 184.
You also use this tab to initiate the procedure for adding a new cloud connector—see
“Adding a cloud connector” on page 184.
Chapter 11 • Configuring cloud service settings
181

Configuring cloud connectors
The columns indicate the following:
Column header
Indicates
Cloud connector
The name of the computer
Forest
The domain name for the domain controller to which the cloud connector
is joined.
Version
The version of the cloud connector software.
You can configure the cloud connector to update automatically—see
“Configuring the cloud connector to install updates automatically” on page
259
Last ping
The last time the cloud service successfully pinged the cloud connector.
Hostname
The DNS hostname.
See “Configuring the Web Server” on page 182 to change this name.
Status
Active indicates that the Samsung SDS CellWe EMM User Suite can
communicate with the cloud connector.
Inactive indicates that the cloud service cannot communicate with the
cloud connector.
Configuring the Web Server
The Samsung cloud service supports the use of Integrated Windows authentication (IWA)
and Office 365 clients to provide silent authentication for Active Directory/LDAP users
when they log in to Admin Portal or the Samsung SDS CellWe EMM user portal. To can
enable and disable this feature by clicking on the cloud connector listing.
When “Web Server” is enabled (the default), the browser uses the current user's Active
Directory/LDAP information to prove its knowledge of the password through a
cryptographic exchange with the in-process web server built into the cloud cloud
connector. If you reset “Web Server,” users cannot be authenticated by IWA or Office 365
clients.
Integrated Windows authentication may require additional configuration within some
browsers. See “Configuring browsers for silent authentication” on page 261 to see if your
browser requires additional configuration.
Note
To use Integrated Windows Authentication for silent authentication, users must specify
their login suffix in the portal URL in the following form:

Admin Portal: https://cloud.samsungemm.com/manage?customerID=<suffix>

Samsung SDS CellWe EMM user portal: https://cloud.samsungemm.com/
my?customerID=<suffix>
where <suffix > is the login suffix you created for their account (see “Using login suffixes”
on page 195).
You can also set conditions for logging into these portals. For example, you can enable
access policy controls that require the user to be inside the corporate IP range to use
Cloud Manager user’s guide
182

Configuring cloud connectors
Integrated Windows authentication—see “Setting Integrated Windows authentication
(IWA)” on page 105. This section also describes how you can use an Integrated Windows
Authentication connection as a strong authentication factor in your access control policy.
To configure the cloud connector web server settings:
1 Open Admin Portal, click Settings, and click Cloud Connectors.
2 Double-click the cloud connector listing.
You can modify the following settings:
Setting or property
Change to do the following
Enable web server
The default value r is Enabled. This setting supports Integrated
Windows Authentication and Office clients.
If you disable the web server, you cannot change the DNS
Hostname, HTTP Port Number and HTTPS Port number values.
DNS Hostname
The default is the cloud connector’s host computer’s name.
HTTP Port Number
The default port is 80.
Port 80 is the standard port. If you change the port number to a
non-standard number (for example, 111), Firefox and Chrome
may require additional configuration because these browsers
block some non-standard ports. Do not change the port number
unless you know the implications.
HTTPS Port Number
The default port is 8443.
Port 8443 is the standard port. If you change the port number to a
non-standard number, Firefox and Chrome may require
additional configuration because these browsers block some nonstandard ports. Do not change the port number unless you know
about the implications.
cloud connector Host
Certificate
The default is no certificate for the cloud connector is loaded in
the cloud service.
Click Upload to upload a certificate created for the cloud
connector into the cloud service.
Click Download to download a cloud connector certificate you
have previously uploaded.
Click Download your IWA root CA certificate to save a copy
of the certificate from the IWA root CA.
3 Click OK.
To disable Integrated Windows authentication and Office 365 clients:
1 Open Admin Portal, click Settings, and click Cloud Connectors.
2 Double-click the cloud connector listing.
Chapter 11 • Configuring cloud service settings
183

Configuring cloud connectors
3 Reset Enable Web Server. (After resetting, there should be no check mark in the box.
4 Click OK.
Adding a cloud connector
You use the Cloud Connectors tab to download the Samsung SDS CellWe EMM Cloud
Management Suite package. You use the installation wizard in this package to install a
Samsung SDS CellWe EMM cloud connector. See “Installing Samsung SDS CellWe EMM
cloud connectors and administrator consoles” on page 208 for more about installing cloud
connectors.
Your role must have the Register cloud connectors administrative right to download
the Samsung SDS CellWe EMM Cloud Management Suite package and register the cloud
connector.
Note
To download the Samsung SDS CellWe EMM Cloud Management Suite package:
1 Open Admin Portal, click Settings, and then click Cloud Connectors.
2 Click Add cloud connector.
3 Click 64-bit to download the cloud connector package corresponding to the host
computer’s processor architecture.
4 Unzip the package and copy the installation wizard to the host computer
Go to “Running the Samsung SDS CellWe EMM Cloud Management Suite installer” on
page 214 to run the wizard.
Deleting a cloud connector
You can delete an inactive cloud connectors. You cannot delete an active cloud connector.
An inactive cloud connector is one that is offline. To take a cloud connector offline, open
the Samsung SDS CellWe EMM cloud connector configuration program on the computer,
click the cloud connector tab, and click Stop. When the cloud connector is offline, there is
no communication between it and the cloud service.
To delete a cloud connector, right click the listing and click Delete. Alternatively, you can
click the check box and click Delete. The cloud connector listing is removed from the
page.
Deleting a cloud connector removes the listing from the Admin Portal page. It does not,
however, uninstall the Samsung SDS CellWe EMM cloud connector software from the
computer. You can re-activate the cloud connector by re-registering it.
Cloud Manager user’s guide
184

Adding LDAP as a Directory Service
Adding LDAP as a Directory Service
LDAP communicates with the Samsung SDS CellWe EMM cloud connector over TLS/SSL
on port 636. As part of the client/server handshake between the cloud connector and the
LDAP server, the LDAP server must present the cloud connector with an X.509 certificate.
To establish a trust relationship between the cloud connector and the LDAP server, you
must install the CA certificate that issued the LDAP server’s Server Authentication
certificate on the machine running the cloud connector (specifically, the Local Computer
Trusted Root Certification Authorities certificate store).
To add LDAP for the cloud connector:
1 Log in to Admin Portal as a system administrator, click Settings, Directory Service,
Add LDAP.
2 Provide the required information.


For the DNS Hostname, you must provide a fully qualified domain name.
See “Using login suffixes” on page 195 for more information on login suffixes.
3 Click Connectors and select the cloud connector to use with this service or let the
LDAP server find an available cloud connector.
4 Click Save.
Enabling email quarantining
You use the Exchange ActiveSync Server Settings option to enable automatic quarantining
of user accounts for iOS and Android devices when a device is not enrolled.While the
device is quarantined, its user has limited access to the Exchange server account’s email,
calendar, contacts, and Notes folders. When a device is enrolled, its user has full access to
the folders.
The cloud service uses the standard Quarantine and Allow List Exchange ActiveSync access
states to block access except to those who enroll their device. When the device is enrolled,
the cloud connector adds it to the Allowed List; when the device is unenrolled, the cloud
connector removes it from this list. If you are unfamiliar with the quarantine and allow
access states go to technet.microsoft.com for an introduction.
If you have multiple Exchange servers, you enable automatic quarantining on a server-byserver basis. As soon as you enable this feature on a server, account access from all of the
mobile devices that use that Exchange server is blocked until users enroll their devices.
To specify an Exchange or Office365 server for quarantining:
1 Open Admin Portal, select Settings, click Exchange ActiveSync Server Settings,
and click the Add button.
Chapter 11 • Configuring cloud service settings
185

Enabling email quarantining
2 Select the either Exchange 2010 or Office365 as your server type.
Admin Portal displays the Exchange Server Creation dialog box.
3 Enter the host name (the URL for the Exchange Web Services endpoint for your server)
for the connection endpoint.
 For Exchange servers the connection endpoint has this form:
https://<exchange_server_name>/PowerShell

For Office 365 the connection endpoint has this form:
https://ps.outlook.com/PowerShell
4 Select Use Basic Authentication if you enabled Basic
Windows Authentication.
(Office 365 always uses Basic
rather than
Authentication.)
Authentication
5 Enter the user name and password for an account that has permission to modify the
Exchange or Office 365 server settings.
6 Click OK.
To manually remove a quarantine from an account:
1 Log in to the computer on which you installed the Samsung SDS CellWe EMM cloud
connector.
2 Find the device ID of the quarantined device.
The device ID is generated by the mail client (for example, iOS Mail or Touchdown).
You unblock a device by adding its device ID to a list of devices that are not quarantined.
The following PowerShell script retrieves the device ID
Get-ActiveSyncDeviceStatistics -mailbox <username> | where
{$_.DeviceAccessState -eq 'Quarantined'} | select DeviceID
3 Add the device ID to the list of devices that are allowed access.
Admin Portal quarantines all devices when you enable blocking except for those devices
identified in -ActiveSyncAllowedDeviceIDs. Use the following PowerShell script to
update the list.
Set-CasMailBox -identity <username> -ActiveSyncAllowedDeviceIds <device
IDs>
To specify multiple devices, separate each device ID with a comma.
To re-enable blocking, update the list again but remove the device ID.
This procedure is required for Exchange Servers only if you want to use the account
quarantining feature. Quarantining blocks user access to the email account when the device
is not enrolled in the Samsung cloud service. See “Enabling email quarantining” on page 185
for the details. Skip this procedure if you do not plan to enable quarantining.
Note
Cloud Manager user’s guide
186

Preparing iOS devices for mass deployment
Blocking is available to Exchange 2010 and Office 365 servers. It is not available to
Exchange 2007 servers.Exchanges 2010 servers must have SP1 installed.
You must enable Remote PowerShell on the Exchange or Office 365 server. After you
enable Remote PowerShell, the Exchange server creates an Internet Information Services
(IIS) application named PowerShell. You need to enable an authentication method for this
application. (By default no authentication method is selected.) Use the following procedure
to enable an authentication method for the PowerShell application.
To enable the authentication method for the PowerShell application:
1 Start IIS Manager.
2 On the left pane, select Site > Default Web Site > PowerShell.
3 On the right pane, select IIS > Authentication, right-click, click and select Open
Feature.
4 Select either Windows Authentication or Basic Authentication, right-click, and
select Enable.
If you select Basic Authentication, be sure to select the check box when you enable the
Exchange server in the Cloud Manger settings.
5 Back up your original settings. In this case, you would use a PowerShell script to extract
the original settings.
Preparing iOS devices for mass deployment
You use the Apple Configurator option to preconfigure iOS devices with a base security
policy before you distribute them to your users.The Apple Configuration page provides a
wizard which builds iOS profiles that contain the base security policy settings and stores
them in a zip file. You then import the zip file into Apple Configurator to install the profiles
in the devices. During the profile installation process, the devices are also enrolled in the
cloud service.
See Apple Configurator Help for more information about this program.
This feature is available with a Premium or EMM license only. If you do not have either
license, you cannot download the iOS device profile. If the license expires before the user
personalizes a bulk-enrolled device, an error message is displayed to the user indicating that
the license requirements have not been met.
Note
When the user enrolls the device, the cloud service installs additional profiles which contain
the remainder of the policy settings for the device. If the user logs out of the cloud service,
the additional policy profiles are removed and only the base security policy profiles remain
in place.
Chapter 11 • Configuring cloud service settings
187

Preparing iOS devices for mass deployment
You create the full mobile device policy for the iOS devices before you use this wizard. You
can use either the Active Directory Group Policy Object Editor to create a group policy
object or Admin Portal to create a policy set. Which tool you use depends upon whether
you use Active Directory or Samsung SDS CellWe EMM policy service to define the mobile
device policies (see “Selecting the policy service for device policy management” on page
201). See “Common Mobile Settings” on page 228, “iOS Settings” on page 231, and
“Additional iOS Settings” on page 235 for a summary of the mobile device policies for iOS
devices. The cloud service creates multiple profiles to install the full set of policies in the
device. The profiles are listed in the device’s Settings > General > Profiles screen.
The Apple Configurator wizard builds the base security policy profiles from the passcode
and restrictions policies from the group policy object or policy set you created. In addition,
the base security policy profiles contain the wi-fi profiles you created in the Common
Mobile Settings, excluding any WEP or WPA/WPA2 Enterprise profiles.
Notes



Preconfiguring iOS devices is a Samsung cloud service licensed feature. However, preconfiguring is also available for 30 days after receiving your customer ID during your
Samsung SDS CellWe EMM User Suite evaluation period. If your license expires, you
can no longer pre-configure iOS devices for bulk enrollment.
When you receive preconfigured devices back from users, instruct them to click the
Logout button on the Settings screen in the Samsung SDS CellWe EMM client. This
removes the additional policy profiles installed when the user logged in. This process
leaves the base security policy profiles installed using Apple Configurator in place.
The wizard’s user interface is different for Active Directory and Samsung SDS CellWe
EMM user service directory services. The interface displayed depends upon whether you
selected “Active Directory group policy” or “Samsung SDS CellWe EMM policy service” on
the Device Policy Management page on the Settings page in Admin Portal (see “Selecting
the policy service for device policy management” on page 201).
Download profiles from a group policy object
You use this procedure only if you are using Active Directory group policy for device policy
management (see “Selecting the policy service for device policy management” on page 201)
This procedure installs the base security policy profiles in the iOS devices from the group
policy object linked to an organizational unit. Before you begin the procedure, do the
following:

Create an Active Directory organizational unit for these devices.


Create the group policy object for these devices and link it to the organizational unit you
created for these iOS device.
Specify the organizational unit when you configure the device enrollment settings in the
policy set for the iOS device users—see “Device Enrollment Settings - Enabling users to
enroll devices” on page 96.
Cloud Manager user’s guide
188

Preparing iOS devices for mass deployment
To install the base security policy profiles:
1 Open Admin Portal and click Settings.
2 Click Apple Configurator.
3 In Step 1, select the organizational unit associated with the policy set for the role with the
accounts for the users who will be enrolling the devices.
The drop-down list contains only the organizational units you have specified in the the
device enrollment settings.
4 Perform Step 2.
Click Download to create and download the file mass_enrollment.zip containing the
base security policy settings.
5 Unpack mass_enrollment.zip and transfer the files to a location from which you can
import them into Apple Configurator.
6 Perform Step 3.
Follow the Apple Configurator instructions to import the files and then use the Apple
Configurator Prepare function to install the profiles in the devices.
After the profiles have been installed, each device initiates contact with the cloud service
to enroll the devices. When enrollment completes, the device is listed in the Active
Directory organizational unit you selected and on the Devices page in Admin Portal. The
computer object name in the Active Directory listing contains “companyOwned.”
7 When you hand over the devices, instruct the users to install the Samsung SDS CellWe
EMM client and log in to the cloud service to install the additional profiles with the
remaining policy settings.
Download profiles from a Samsung SDS CellWe EMM policy
service policy set
The following procedure installs the base security policy profiles in the iOS devices from
the policy sets assigned to one or more roles. Before you begin the procedure, do the
following:

Create roles for all the users who will be enrolling these iOS devices and add the user
accounts to the roles.

Create one or more policy sets for these devices.

Apply the policy set(s) to the role(s).
To install the base security policy:
1 Open Admin Portal and click Settings.
2 Click Apple Configurator.
Chapter 11 • Configuring cloud service settings
189

Generating an APNS certificate
3 In Step 1, select the role or roles that contain the accounts for the users who will be
enrolling the devices.
4 Perform Step 2.
Click Download to create and download the zip file mass_enrollment.zip
containing the base security policy settings.
5 Unpack mass_enrollment.zip and transfer the files to a location from which you can
import them into Apple Configurator.
6 Perform Step 3.
Follow the Apple Configurator instructions to import the files and then use the Apple
Configurator Prepare function to install the profiles in the devices.
After the profiles have been installed, each device initiates contact with the cloud service
to enroll the devices. When enrollment completes, the device is listed on the Devices
page in Admin Portal.
7 When you hand over the devices, instruct the users to install the Samsung SDS CellWe
EMM client and log in to the cloud service to install the additional profiles with the
remaining policy settings.
Generating an APNS certificate
For the Samsung cloud service to communicate securely with Apple iOS devices, both the
Samsung cloud service and the devices and computers need a trusted, SSL certificate that is
signed by both Samsung cloud service and Apple certification authorities. This certificate is
called an Apple Push Notification Service (APNS) certificate. This section describes how to get
this certificate and upload it to the Samsung cloud service.
What to do before creating or updating an APNS certificate
To get you APNS certificate you need to have the following:

The proper Admin Portal permissions.
Only the users who are authorized to manage enrolled devices can create or update APNS
certificates. This includes administrators in the sysadmin role and roles that can manage
devices.


An Internet connection.
An iTunes App Store Apple ID that can be used to obtain updated APNS certificates
from Apple.
You need to use this same Apple ID in the future to renew your APNS certificate. It might
make future updates simplest if you create a generic Apple ID to use solely for APNS
certificate creation.
Cloud Manager user’s guide
190

Generating an APNS certificate
How often you should create an APNS certificate
You need to create a APNS certificate once before users start enrolling devices. After that,
you’ll need to renew it every year. You do not need to re-enroll devices after updating an
APNS certificate. The expiration date for the APNS certificate you are using is listed at the
top of the page.
You can find more information about APNS certificates on Apple’s website:
http://www.apple.com/iphone/business/integration/mdm/
What happens when the APNS certificate expires
If the APNS certificate expires, users can no longer enroll devices. In addition, the services
available to enrolled iOS devices is limited as follows:

Users and administrators cannot send commands to the devices from the user portal and
Admin Portal.

Administrators cannot install native applications.
Initially, enrolled devices remain enrolled and Status in the user portal and Admin Portal
shows Enrolled. In addition, users can open the Samsung SDS CellWe EMM client and
launch the web applications with silent authentication. However, at the end of the ‘Mark
unresponsive devices as “Unreachable” threshold’ (see “Device Management Settings Monitoring enrolled devices” on page 95) the status changes to Unreachable, and the user
can no longer open the Samsung SDS CellWe EMM client. The default threshold is 14 days.
Creating an APNS certificate
You use Admin Portal to generate and download the Certificate Signing Request file, and
then upload that file to the Apple Push Certificates Portal. Apple generates the completed
APNS certificate, which you then upload to Admin Portal.
Chapter 11 • Configuring cloud service settings
191

Generating an APNS certificate
The following figure illustrates the procedure.
To create or update your APNS certificate for iOS devices:
1 In Admin Portal, click Settings.
2 Click APNS Certificate.
If you haven’t yet uploaded an APNS certificate to the cloud service, the expiration date
at the top of the page appears as unconfigured.
3 Click Generate Request to create the Certificate Signing Request (CSR) file.
Admin Portal downloads the CSR file—mdm_csr.pem—to your system. Depending on
your web browser’s settings, your web browser may automatically save the file in a
predetermined location or it may prompt you to save the file.
4 Create the APNS certificate:
a Click the link to https://identity.apple.com/pushcert and login to your Apple
iTunes App Store account. This opens the Apple Push Certificates Portal. This page
contains all of the APNS certificates you have created under this account.
b Click Create a Certificate.
c Read and accept the terms and conditions.
d Click Choose File to select the Certificate Signing Request (mdm_csr.pem) file
just generated and then Upload to import the file into the Apple Push Certificates
Portal.
e Click Download. Depending on your web browser’s settings, your web browser
may automatically save the file in a predetermined location or it may prompt you
Cloud Manager user’s guide
192

Generating an APNS certificate
to save the file. The certificate created by Apple is named
MDM_Samsung Electronics Co., Ltd._Certificate.pem.
5 Click Upload Apple Response and select the APNS certificate just downloaded.
Renewing an APNS Certificate
The expiration date for an APNS certificate is shown at the top of the page. You can renew
it any time before the expiration. The new certificate is valid for one year from the date of
renewal.
To renew an APNS certificate:
1 In Admin Portal, click Settings.
2 Click APNS Certificate.
Make note of the certificate’s expiration date. You will need this date when you renew
the certificate on the Apple Push Certificates Portal.
3 Click Generate Request to create the Certificate Signing Request (CSR) file.
Admin Portal downloads the CSR file—mdm_csr.pem—to your system. Depending on
your web browser’s settings, your web browser may automatically save the file in a
predetermined location or it may prompt you to save the file.
4 Click the link to https://identity.apple.com/pushcert and login to your Apple iTunes
App Store account.
This opens the Apple Push Certificates Portal. This page contains all of the APNS
certificates you have created under this account.
5 Click Renew for the certificate with the expiration date that matches the date on the
APNS Certificates page in Admin Portal.
6 Click Choose File to select the Certificate Signing Request (mdm_csr.pem) file just
generated and then Upload to import the file into the Apple Push Certificates Portal.
7 Click Download. Depending on your web browser’s settings, your web browser may
automatically save the file in a predetermined location or it may prompt you to save the
file. The certificate created by Apple is named
MDM_Samsung Electronics Co., Ltd._Certificate.pem.
8 Click Upload Apple Response and select the APNS certificate just downloaded.
The Current Expiration Date at the top of the page should show the new date.
Chapter 11 • Configuring cloud service settings
193

Managing your Samsung KNOX licenses
Managing your Samsung KNOX licenses
The License page contains all of the Samsung KNOX licenses you have purchased. The
columns contain the license key, the date the license was issued, the date it expires, the total
licenses purchased, the number of licenses in use (Activations), and the current state of the
license key.
The license states are dependent upon the type of license:

Active: License is validated with license server and available





De-active: License is validate, however, it has been suspended. Registration on a new
device is not allowed
Expired: Contract expiration on license KLM server. Registration on a new device is not
allowed
None: Registration on a new device is not allowed
Terminated: License period has expired and the license is no longer available.
Registration on a new device is not allowed.
Valid: Registration on a new device is allowed.
The licenses you purchase affect which mobile device policies are available to you. See
“Understanding licensing” on page 228 for an overview.
The cloud service posts a message when you log in to Admin Portal that indicates if you
have any licenses that will be expiring in the next 10 days or have expired.
The license purchases you make in the Marketplace are immediately reflected on the
Licenses page. However, licenses you purchase by other means must be entered manually.
Note
To purchase a license from the Marketplace:
1 Open Admin Portal and click Settings.
2 Under Settings, click Licenses.
3 Click Get more licenses.
This button is a link to the Marketplace. Licenses you purchase from the Marketplace are
immediately added to this page.
To add a Samsung KNOX license key purchased from outside the Marketplace:
1 Open Admin Portal and click Settings.
2 Under Settings, click Licenses.
3 Click Add.
4 Enter the license key and click Add License.
The cloud service validates your license key.
Cloud Manager user’s guide
194

Enabling automatic log out from the Samsung SDS CellWe EMM user portal and Admin Portal
Enabling automatic log out from the Samsung SDS CellWe
EMM user portal and Admin Portal
You can automatically log out users from Admin Portal or the user portal after a period of
inactivity. You enable this policy using the Idle User Session Timeout tab and then set the
inactivity time period. The default is five minutes.
This policy has no effect on mobile device users.
To enable automatic user log out:
1 Open Admin Portal and click Settings.
2 Click Idle user Session Timeout.
3 Select “Automatically log out idle users.”
4 Enter the time period.
5 Click Save Changes.
Using login suffixes
The login suffix is that part of the login name that follows @. For example, if the login
name is [email protected], the login suffix is “acme.com.” The login suffix identifies for
the cloud service which ID repository has the user’s account when the user logs in to the
cloud service portals or enrolls a device. If the login suffix is not listed on this page, the user
cannot be authenticated.
Normally, the Samsung cloud service automatically creates a default login suffix for your
organization based on the login suffix in the work email account entered in the Samsung
cloud service sign-up form. However, if that login suffix is already in use, the cloud service
appends a one- or two-digit number to the end. For example, if the email address entered
when the cloud service account had the login suffix acme.com but “acme.com” was already
used by another organization, the cloud service would create the login suffix acme.com.4.
You can create more login suffixes for Samsung SDS CellWe EMM user service accounts.
You assign a new user service to a login suffix when you create the account.
If you are using an Active Directory domain as an ID repository, the cloud service adds the
following login suffixes when the cloud connector is installed:

The login suffix in the installer’s account name. This allows the administrator to log in to
Admin Portal right after installing the cloud connector.
If the login suffix in the cloud connector installer’s account is already in use in the
Samsung cloud service, an error message is displayed and you cannot use that domain
name as a login suffix. (This occurs rarely but can happen.) Contact support if this
happens to your account.
Note
Chapter 11 • Configuring cloud service settings
195



Using login suffixes
The domain name of the domain controller to which the host computer for the cloud
connector is joined.
If that domain controller is part of a tree or forest, the cloud service adds a login suffix
for all of the other domains in the tree or forest it can locate.
If you have users with Active Directory accounts in domains in a tree or forest that was
not found or users who log in with their Office 365 account, you must add those login
suffixes before these users can log in to Admin Portal or the Samsung SDS CellWe EMM
user portal, and enroll a device.
You can also create an alias for an Active Directory domain name. You would use an alias
to simplify login for users with a long or complicated Active Directory login suffix. See
“Creating an alias for long Active Directory domain names” on page 197 for the details.
You cannot create an alias for Samsung SDS CellWe EMM user service login suffixes.
Click Login Suffix on the Settings page in Admin Portal to see your organization’s login
suffixes.
Creating a login suffix
You can create as many login suffixes as you want for Samsung SDS CellWe EMM user
service accounts. The login suffix can be composed of any of the UTF8 alphanumeric
characters plus the symbols + (plus), - (dash), _ (underscore), and . (period). You can, but
are not bound to, use the form label.label for your login suffixes; however, a login suffix
can be composed of a single label—for example, ABCCorp.
Login suffixes must be unique in the Samsung cloud service (not just within your cloud
service account). If you enter a login suffix that is already in use, you get an error message.
You can select any login suffix when you create new user service accounts.
To create a login suffix:
1 Open Admin Portal and click Settings.
2 Click Login Suffix.
3 Click Add.
4 Enter the suffix in the text box and click Save.
Deleting a login suffix
You cannot delete a login suffix that has any user accounts. Admin Portal displays an error
message if you try to delete a login suffix that still has user accounts. To delete a login
suffix, remove all of its user accounts.
Cloud Manager user’s guide
196

Using login suffixes
Modifying a login suffix
You can rename a login suffix. If you do, the accounts that had the original login suffix are
automatically updated to the new one. Be sure to notify the users affected that they have a
new login suffix. They will not be able to log in using the original suffix.
To modify a login suffix:
1 Open Admin Portal and click Settings.
2 Click Login Suffix.
3 Right-click the login suffix and click Modify.
4 Make your changes in the text box and click Save.
Creating an alias for long Active Directory domain names
Best practice dictates that you use a login suffix for Active Directory users that they are
already using. For example, if they’re using your organization’s domain name to open their
email account, it would help them remember their cloud service user name if you used the
same login suffix.
However, this is not a requirement. For example, if you have a long or complex Active
Directory domain name, you can create a mapped login suffix for Active Directory accounts
using the Advanced option. For example, if your login suffix is abc.bigcorp.com, you
could define another login suffix, such as “abc.” A user could then log in to the user portal
using just <username>@abc.
To map an Active Directory login suffix:
1 Open Admin Portal and click Settings.
2 Click Login Suffix.
3 Click Add.
4 Enter the alias in the Login suffix text box.
5 Expand Advanced.
6 Reset the Keep Login Suffix and Mapped Suffix the same checkbox.
7 Backspace over the login suffix in the text box below the checkbox and enter the Active
Directory domain name.
8 Click Save.
Chapter 11 • Configuring cloud service settings
197

Linking to the Apple Device Enrollment Program
Linking to the Apple Device Enrollment Program
You use this setting to link the Samsung cloud service as an MDM server in the Apple
Device Enrollment Program, upload the Samsung cloud service token, and define the initial
profile configuration settings. The Device Enrollment Program is an Apple Deployment
Program that helps businesses and education institutions easily deploy and manage iPad and
iPhone devices.
This feature is available to users with KNOX Premium or EMM licenses only. If you
do not either license, this option is not displayed on the Settings page. If the license expires
before the user enrolls the device, DEP enrollment does not complete and an error is
entered in the log that the KNOX Premium or EMM license requirement has not been met.
Note
When you use the Device Enrollment Program, an initial profile is installed by the Apple
Device Enrollment Program server in assigned devices as soon as the device has a network
connection. You use the Apple DEP Configuration page in Admin Portal to define the initial
profile’s configuration settings, including the device enrollment options, your user support
phone number, and the device setup items the user must complete when they first receive
the device. Depending upon which enrollment options you select, the Samsung SDS
CellWe EMM client can be automatically installed on the device. Thus, users don’t need to
install it from the Apple App Store.
If you plan to use the Apple Device Enrollment program, you need to enroll your
organization first. Go to https://deploy.apple.com to learn about the program and to
enroll your organization. Return to this section after you have completed enrollment,
reviewed the restrictions, and configured your account.
Linking to the Apple Device Enrollment Program is a two part process once you have
opened the Apple DEP Configuration page on the Settings page in Admin Portal:

Creating a link between the Samsung cloud service and the Apple Device Enrollment
Program.
In this step you create a service token for the Samsung cloud service and upload it to
Admin Portal.

Configuring the initial profile.
These options and properties are displayed on this page after you successfully upload the
service token.
The profile is installed only in the devices that are assigned to the Apple Device Enrollment
program.
This profile does not replace the profiles that are installed by the Samsung SDS CellWe
EMM client after the user enrolls the device in the Samsung cloud service. The profile you
define in this procedure just controls the user’s device set up options.
As a rule of thumb, you should wait 24 hours after you assign the device before giving
it to the user to enroll.
Note
Cloud Manager user’s guide
198

Linking to the Apple Device Enrollment Program
To create the link to the Apple Device Enrollment program:
1 Open Admin Portal and click Settings.
2 Click Apple DEP Configuration.
3 Generate a public key.
Click Download to generate the public key. In most browsers, this file is written to
your Downloads folder.
4 Login to your Apple Device Enrollment Program account at https://deploy.apple.com.
Click the link and enter your user name and password.
5 Create server token file.
In your Apple Device Enrollment Program screen, click Add an MDM server and
specify the file with the public key you just created.
The server token file is downloaded by your browser. In most browsers, this file is
written to your Downloads folder.
6 In Admin Portal, upload the server token file.
Click Upload and specify the file just downloaded.
Once the file has been uploaded, the Apple DEP Configuration page expands to add the
Configuration settings.
To configure the initial profile:
1 Enter the profile name.
2 Select the Device enrollment options
Minimally, you should select Make device supervised and Require device
enrollment. When you select these options, users can enroll with the Active
Directory/LDAP or Samsung SDS CellWe EMM user service user name and password
and the Samsung SDS CellWe EMM client and Company Apps applications are installed
automatically on the device. (Otherwise, the user would have to install the Samsung SDS
CellWe EMM client from the Apple App Store.)
3 Enter the Customer support phone number.
This is the number for your IT or Help department that you want your users to call if they
have a problem or are confused while enrolling the device.
4 Enter a Department or location.
5 Select which setup items to skip when the user enrolls the device.
Chapter 11 • Configuring cloud service settings
199

Setting Corporate IP ranges
By default, the user is prompted for all of the setup items. Check the items you do not
require.
6 Click Save.
Setting Corporate IP ranges
You use the Corporate IP Range feature to define IP ranges for your internal network and
external network. Connections that are made from inside the corporate IP range have the
following privileges:

Active Directory users can log in to Admin Portal and the Samsung SDS CellWe EMM
user portal with silent authentication. (This requires Integrated Windows
authentication—see “Configuring cloud connectors” on page 181.)

If you enable authentication policy controls, these users can be exempt from the
additional authentication requirements. (See “Authentication - Setting authentication
policy controls” on page 98 for the details.)
There are two cloud service features that look to the Corporate IP range:

Silent authentication for Admin Portal and user portal logins: If the computers’ address
is outside the IP range you specify here, Active Directory users are prompted to enter
their credentials. This feature is not available to users with cloud accounts.
If you do not specify a range, all IP addresses are treated as possibly inside your network.
This feature uses Integrated Windows authentication. See “Configuring cloud
connectors” on page 181 for more about Integrated Windows authentication.
multifactor login authentication: Users logging in to the portals from computer’s with
an address that is outside the IP range are prompted to provide an additional
authentication factor.
Note

If you do not specify an IP range, all IP addresses are treated as outside your network and
all users—including those users within your network—are prompted for an additional
authentication factor.
See “Authentication - Setting authentication policy controls” on page 98 for the details on
multifactor authentication.
To specify external IP addresses for silent authentication and access control:
1 Open Admin Portal and click Settings.
2 Click Corporate IP Range.
3 Click the Add button.
4 Enter an IP address or a range of addresses in the form <network>/<subnet
Cloud Manager user’s guide
mask>.
200

Selecting the policy service for device policy management
Admin Portal shows your current external IP address under the text box.
5 Click OK
Repeat to specify additional addresses or ranges.
Selecting the policy service for device policy management
You use Device Policy Management to select whether you use Samsung SDS CellWe EMM
policy service or Active Directory Group Policy Management to set device configuration
policies. After you select the policy management tool, you can set the policy update
schedule and certificate authority.
You must select the Samsung cloud service for mobile device management if you want
to set the mobile device policies and install them in the device (see “Configuring mobile
device management or single sign-on only” on page 205).
Note
When you select the Samsung SDS CellWe EMM policy service, you use policy sets created
in Admin Portal to set device configuration policies.When you use Active Directory group
policy you create group policy objects and edit them with the Group Policy Management
Editor to set device configuration policies. See “Managing device configuration policies” on
page 114 for the details.
Both methods provide largely the same policies—see “List of device configuration policies”
on page 227 for a summary of the policies available in each one.The method you select
depends upon the types of accounts (Samsung SDS CellWe EMM user service or Active
Directory) used for enrolling devices. Use the following rules to select the proper method
for your organization:
You have devices enrolled by users Select this method
with the following types of
accounts
Notes
Both users with cloud and Active
Directory accounts
Samsung SDS CellWe EMM
policy service
If you select Active Directory,
the Samsung cloud service does
not install the policies in
devices enrolled by users with
cloud accounts.
Only users with Active Directory
accounts
Either Active Directory or
Samsung SDS CellWe EMM
policy service
Select the method that is most
convenient to you.
Only users with cloud accounts
Samsung SDS CellWe EMM
policy service
If you select Active Directory group policy, you still use policy sets to configure the
Device Management Settings, Device Enrollment Settings, Account Security Policies, and
Application Policies. You use the group policy object just to set the device configuration
policies
Note
Chapter 11 • Configuring cloud service settings
201

Selecting the policy service for device policy management
Selecting the Samsung SDS CellWe EMM policy service
If you select Samsung SDS CellWe EMM policy service, the cloud service uses the policy
sets assigned to each role to set the device configuration policies. See “Using Admin Portal
to set device configuration policies” on page 115 for the details.
When you select the Samsung SDS CellWe EMM policy service, you configure the policy
push delay and select the certification authority. The policy push delay specifies the number
of minutes the Samsung cloud service waits from the time you saved the policy set to push
the changes to the devices.
You can use either the Active Directory Certificate Service or the Samsung SDS CellWe
EMM cloud CA to generate user and computer certificates to authenticate users and devices
for wi-fi connections, respectively. The certificates are created and installed on the device
when the user enrolls the device.
Click Use Active Directory Certificate Service for PKI client authentication to
use the default certification authority you configured in your Active Directory Certificate
Service. (You can use the default certification authority only.) If you select this option, you
need to create user and computer templates on the default certification authority. There
may be some additional configuration required in the cloud connector as well. See “Using
Active Directory certificates in devices for authentication” on page 222 for the details.
Click Use Tenant Certificate Authority for PKI client authentication to use the
Samsung SDS CellWe EMM cloud CA for your cloud service account (tenant) to generate
user and computer certificates instead. You do not need to create templates when you select
this option.
The Samsung SDS CellWe EMM User Suite includes a Samsung SDS CellWe EMM cloud
CA for each customer cloud service. When you select the tenant certification authority, it
generates certificates that can be used to authenticate users for wi-fi and VPN connections
and Exchange ActiveSync server log ins. The certificates are automatically generated and
installed for users who are a member of a role that has a wi-fi, VPN, or Exchange server
profile in the Samsung SDS CellWe EMM policy service in which certificates are used for
authentication. The certificates are installed automatically when the user enrolls the device.
Click the Download button to download the certificate for the Samsung SDS CellWe
EMM cloud CA for your account for installation in the Exchange server, wi-fi access point,
or VPN server or concentrator. The certificate is self-signed. See the following sections to
configure the use of Samsung SDS CellWe EMM cloud CA certificates:

“Configuring Exchange profiles” on page 131

“Configuring VPN profiles” on page 136

“Configuring Wi-Fi profiles” on page 139
To select Samsung SDS CellWe EMM policy service for device policy management:
1 Open Admin Portal and click Settings.
Cloud Manager user’s guide
202

Selecting the policy service for device policy management
2 Click Device Policy Management.
3 Click Cloud Policy Service.
4 Click the text box and enter the number of minutes for the policy push delay.
5 Click the radio button to select the certification authority.
6 Optional: If you need to install the certificate for your Samsung SDS CellWe EMM cloud
CA in a wi-fi access point, VPN server or concentrator, or Exchange ActiveSync server,
click Download to download the certificate file.
7 Click Save.
Selecting Active Directory group policy
If you select Active Directory group policy, the cloud service uses the group policy object
you linked to the organizational unit specified in the Device Enrollment Settings for each
role to set the device configuration policies. See “Using the Group Policy Management
Editor to set mobile device policies” on page 116 to specify the organizational unit; see
“Configuring group policy objects and organizational units” on page 204 to link the group
policy object to the organizational unit.
When you select the Active Directory group policy, you set the update interval and select
the certification authority used to generate certificates for users and devices when they
enroll on the Settings page. The update interval sets how often the cloud service polls the
domain controller for changes to the group policy objects. If the cloud service finds a group
policy object has changed, it pushes the policy changes to the devices. Otherwise, it takes
no action.
The certification authority you select generates certificates that can be used to authenticate
users for wi-fi and VPN connections and Exchange ActiveSync server log ins. The
certificates are automatically generated and installed for users who are a member of a role
that has a wi-fi, VPN, or Exchange server profile in the group policy object linked to their
organizational unit. The certificates are installed automatically when the user enrolls the
device.
When you install the cloud connector, it searches the Active Directory forest for the
certification authorities you have configured in your Active Directory Certificate Service.
You can select any certificate authority it finds to generate certificates.
When you use an Active Directory certification authority, you need to create user and
computer templates on the certification authority you select. There may be some additional
configuration required in the cloud connector as well. See “Using Active Directory
certificates in devices for authentication” on page 222 for the details.
Note
To select Active Directory for device policy management:
1 Open Admin Portal and click Settings.
Chapter 11 • Configuring cloud service settings
203

Selecting the policy service for device policy management
2 Click Device Policy Management.
3 Click Active Directory group policy.
4 Set the update interval.
Enter the number of minutes to set the period between polling events.
5 Select the certificate authority.
If you do not want to use the default certification authority, use the drop-down menu to
select another.
6 Click Save.
Configuring group policy objects and organizational units
When you use Active Directory group policy to set device configuration policies, you use
group policy objects that you edit with the Group Policy Management Editor to set the
policies. Next, you link that group policy object to an organizational unit. Finally, you
specify the organizational unit to use for a given policy set when you configure the Device
Enrollment Settings (see “Device Enrollment Settings - Enabling users to enroll devices” on
page 96).
The organizational unit you specify in the Device Enrollment Settings is also the
organizational unit in which the cloud service stores the Active Directory record when the
user enrolls the device. You can use this record in Active Directory Users and Computers to
get information about the device and send it commands. See “Using Active Directory Users
and Computers to manage devices” on page 71 for the details.
When you select Active Directory group policy, you should plan on how you are going to
apply the group policy objects to Samsung SDS CellWe EMM user service roles before you
create the policy sets and assign them to the roles. Once you have your roles and policies
planned, you use the following procedure to apply them to individual users’ devices:
1 Create a separate organizational unit for each role.
2 Create the group policy object for that role and set the policies.
3 Link the group policy object to the organizational unit.
4 Specify the organizational unit when you set the Device Enrollment Settings for the
policy set (see “Device Enrollment Settings - Enabling users to enroll devices” on page
96).
5 Assign the policy set to the role.
6 Add the users to the role.
You can use multiple roles or policy sets to apply different policies to users. In this case the
rules for hierarchical policies are applied—see“Using hierarchical policy sets” on page 93.
Cloud Manager user’s guide
204

Configuring mobile device management or single sign-on only
Configuring mobile device management or single sign-on
only
You use the Mobile Device Management settings to select the Samsung cloud service
for mobile device management and enable Samsung KNOX UMC.
You must have a Samsung KNOX Premium license to select the Samsung cloud service
for mobile device management. This option is dimmed if you do not.
Note
By default, the Samsung cloud service is selected to provide mobile device management.
When you use the Samsung cloud service for mobile device management, it allows you to
do the following:

Define mobile device policies that the Samsung cloud service automatically installs in the
devices (see “Managing device configuration policies” on page 114).

Send commands from Admin Portal to the device (see “Using the device management
commands” on page 74)
When you use the Samsung cloud service for mobile device management, the
device owner can also send many of the same commands to the devices from the Samsung
SDS CellWe EMM user portal.
Deploy native iOS and Android mobile applications to the devices from Admin Portal.
Note


Simplify device enrollment for users with Samsung KNOX devices that have the
Universal Mobile Device Management Client (UMC) installed (see “Enabling Samsung
KNOX UMC login suffix updates” on page 206 for the details).
In addition, the cloud service provides more details about enrolled devices in user portal
and the user portal.
If you already have mobile device management from another provider in place, you can
configure the Samsung cloud service for single sign-on only. When you configure the
Samsung cloud service for single sign-on only, it provides the following services:

You can create policy sets to set the following policies:
Device Management Settings
Device Enrollment Settings
Account Security policies for authentication, password reset, and password settings.
Application policies.


You can assign web applications to the user portal.
You can assign web applications with single sign-on to users with Android, KNOXenabled devices, and iOS devices.
Users must install the Samsung SDS CellWe EMM client on the device to open the web
applications from the device. Optionally, users can also assign web applications to their
Chapter 11 • Configuring cloud service settings
205

Configuring mobile device management or single sign-on only
devices from the user portal. You manage this option using the Application policies—see
“Application policies - Preventing users from adding applications” on page 114
You can have only one mobile device management provider. You cannot have some devices
managed by the Samsung cloud service and other devices managed by another mobile
device management provider.
When you use another service for mobile device management, Samsung cloud service does
not provide the following services:

If you installed the Samsung SDS CellWe EMM cloud connector, the CellWe EMM
Mobile and Installed Applications tabs are not added to the device’s Active Directory
Properties.
This means you cannot send the device management commands to a device from Active
Directory Users and Computers.

The CellWe EMM Mobile tab is not added to the user’s Active Directory Properties.
This tab lists the devices enrolled by the user and lets you send commands to the devices.

Group policy profiles are not installed on the devices.
On Android devices, the Samsung SDS CellWe EMM client does not have a Setup screen.

Users can still install the Samsung SDS CellWe EMM client on their devices and get
single sign-on to the web applications you assign to them. However, they are limited to
which commands they can send to the device (see “Using the device management
commands” on page 74).
Disabling Samsung cloud service mobile device management
You use Mobile Device Management on the Settings page in Admin Portal to select whether
or not you use the Samsung cloud service for mobile device management.
To disable the Samsung cloud service for mobile device management:
1 Open Admin Portal and click Settings.
2 Click Mobile Device Management.
3 Reset Use the cloud service for mobile device management. (The box should
not be checked.)
4 Click Save.
Enabling Samsung KNOX UMC login suffix updates
When you select the Samsung cloud service for mobile device management and you have
Samsung Workspace devices equipped with the Samsung KNOX Universal Mobile Device
Management Client (UMC), you should set “Enable Samsung KNOX UMC” to simplify
Cloud Manager user’s guide
206

Configuring mobile device management or single sign-on only
device enrollment for users. For these users, installing the Samsung SDS CellWe EMM
client and enrolling their devices uses a different procedure than users with Android and
Samsung devices that are not equipped with the UMC. See “Working with UMC supported
KNOX devices” on page 86 for the details.
When you enable this setting, the cloud service automatically registers and synchronizes the
login suffixes you have created. The simplified enrollment is provided to all users whose
login suffix is registered in the Samsung Enterprise Gateway. The update is typically made
within a minute after you add, delete, or modify the login suffix.
To update the Samsung Enterprise Gateway with your login suffix changes:
1 Open Admin Portal and click the Settings tab.
2 Click Mobile Device Management and set Enable Samsung KNOX UMC.
3 Click Save.
Chapter 11 • Configuring cloud service settings
207
Appendix 1
Installing Samsung SDS CellWe EMM cloud
connectors and administrator consoles
This section explains how you use the Cloud Management Suite installation wizard for the
following purposes:

To install a Samsung SDS CellWe EMM cloud connector if you are authenticating cloud
service users by using their Active Directory or LDAP account.


To install additional Samsung SDS CellWe EMM cloud connectors for load balancing and
failover.
To create administrator consoles for cloud service administrators. This lets them use
Active Directory Users and Computers to manage cloud service users and enrolled
devices and the Group Policy Management Editor to create group policy objects for
mobile device policies.
You only need to install any of these components if you are using Active Directory/LDAP
accounts to authenticate cloud service users. (Active Directory/LDAP user accounts and
attributes are not replicated in the Samsung Cloud Service.) If you are using only the
Samsung CellWe EMM user service for user accounts, you can skip this section.
You must have a Samsung KNOX Premium license key to install a Samsung SDS
CellWe EMM cloud connector
Note
This section also describes modifying the cloud connector account permissions and creating
certificate templates if you want to use certificates for login authentication for Wi-Fi
connections, VPNs, or Exchange email accounts. Both of these are cloud service options,
and you do not need to perform these procedures if you are not using these options.
This chapter contains the following topics:

“Requirements” on page 209

“Supporting user authentication for multiple domains” on page 211

“Adding cloud connectors and administrator consoles” on page 214

“Running the Samsung SDS CellWe EMM Cloud Management Suite installer” on page
214

“Modifying cloud connector account permissions” on page 218

“Using Active Directory certificates in devices for authentication” on page 222

“Uninstalling the Samsung SDS CellWe EMM Cloud Management Suite software” on
page 226
208

Requirements
Requirements
To install and configure a Samsung SDS CellWe EMM cloud connector you need the
following:
Item
Description
Samsung SDS CellWe EMM
Cloud Management Suite
installer
This program installs the cloud connector, Active Directory/LDAP and
group policy console extensions, and the Samsung SDS CellWe EMM
cloud connector configuration program. To get the installer, you open
Admin Portal, click Settings, click Cloud Connectors, and click Add
cloud connector.
Repeat this procedure every time you install a cloud connector to ensure
you get the latest version of the cloud connector.
Host computer joined to the
domain controller
You install the Samsung SDS CellWe EMM cloud connector on a
Windows computer to establish the communications link between the
Samsung cloud service and Active Directory domain controller.
If you are referencing accounts in an Active Directory tree or forest, the
cloud connector can joined to any domain controller in the tree (it does
not need to be the root). In addition, that domain controller must have
two-way, transitive trust relationships with the other domain controllers.
See “Supporting user authentication for multiple domains” on page 211
for the details.
This computer must be in your internal network and meet or exceed the
following requirements:
• Windows Server 2008 R2 or newer (64-bit only) with 8 GB of memory,
of which 4 GB should be available for cloud connector cache functions.
• Has Internet access so that it can access the Samsung cloud service.
• Has a Baltimore Cyber Trust Root CA certificate installed in the Local
Machine Trusted Certificate root authorities store.
• Microsoft .NET version 4.5 or later; if it isn’t already installed, the
installer installs it for you.
• Be a server or server-like computer that is always running and
accessible.
User account with the proper
Active Directory and cloud
service permissions.
To install the Samsung SDS CellWe EMM cloud connector, the user
account must have Active Directory “Modify Permissions” permission.
See “Required Active Directory permissions to install the cloud
connector” on page 210 for the details.
To register the cloud connector in your cloud service account, you must
be either a member of the sysadmin role or be a member of a role that has
the Register Cloud Connectors permission. See “Creating cloud service
administrators” on page 146 for the details.
Web proxy server (optional)
If your network is configured with a web proxy server that you want to
use to connect to the Samsung cloud service, you specify this server
during the installation process. The web proxy server must support
HTTP1.1 chunked encoding.
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
209

Requirements
Firewall settings
You should configure your firewall to allow outbound traffic over the following ports:
Port numbers
Resource
443
*.emm.samsung.com
443
*.windows.net
80
www.public.trust.com
80
mscrl.microsoft.com
80
privacy-policy.truste.com
80
Oscp.verisign.com
80/443
*.cloudapp.net
80/443
Azure data centers
If your organization has outbound firewall rules that are based on IP address whitelisting,
you need to add the Microsoft Windows Azure Service Bus service to the whitelist. Use the
following URL to get the most current list of IP addresses:
www.microsoft.com/en-us/download/details.aspx?id=41653
The Microsoft Lync application always uses the Cloud Connector HTTPS port.
Microsoft Lync uses the HTTPS port regardless of whether or not the IWA Negotiation
setting is enabled.
Note
Required Active Directory permissions to install the cloud
connector
If you are a domain admin you have sufficient permissions to install the cloud connector.
However, if you are not, you need to have the Modify Permissions permission before you
begin the installation.
To add the Modify permissions permission to an Active Directory user or group:
1 In Active Directory Users and Computers, make sure that you have Advanced Features
enabled (View > Advanced Features).
2 Open the properties for the desired user or group and click the Security tab.
3 In the Security tab, click Advanced.
4 In the Advanced Security Settings dialog box, click Add.
5 Enter the name of the user or service account that you will use to run the cloud
connector, and click OK.
6 In the Permission entry dialog box, click Allow for “Modify Permissions” and click OK.
Cloud Manager user’s guide
210

Supporting user authentication for multiple domains
The Permissions tab of the Advanced Security Settings dialog box lists the specified user
with the ability to Modify Permissions.
7 In the Advanced Security Settings dialog box, click OK.
8 In the Properties dialog box, click OK.
Supporting user authentication for multiple domains
You install the cloud connector on a host Windows computer that is joined to a domain
controller to authenticate cloud service users who have an account in that domain. If you
want the cloud service to authenticate users in other domains, there are two cloud
connector installation models—which one you use depends upon whether the accounts are
in trusted domains in a single forest or in multiple, independent domains trees or forests.
Note If all of your cloud service users have their accounts in a single domain controller, you
can skip this topic.
Configuring authentication for trusted domains
You use this model when the users’ Active Directory accounts are in domains with domain
controllers that have a two-way, transitive trust relationship with the domain controller to
which the cloud connector is joined.
In this model, you have a single cloud connector for the entire domain tree or forest. The
cloud service communicates through this cloud connector for all authentication requests.
When the user account is in another domain, the authentication requests are handled
according to the tree-root, parent-child, forest, and shortcut trust relationship settings
between the domain controllers.
If you are using Active Directory for device and policy management, all object management
communications are done through the same cloud connector as well.
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
211

Supporting user authentication for multiple domains
By default, two-way transitive trusts are automatically created when a new domain is added
to a domain tree or forest root domain by using the Active Directory Installation Wizard.
The two default trust types are parent-child trusts and tree-root trusts. When you
configure the trust relationship, be sure to select Forest trust. This establishes a transitive
trust between one forest root domain and another forest root domain. See How Domain
and Forest Trusts Work in Microsoft TechNet for more about trust relationships.
After you install the first cloud connector, you should install one or more on separate host
computers. The host computer for each cloud connector must be joined to the same Active
Directory domain controller. See “Adding cloud connectors and administrator consoles” on
page 214 for the details.
The cloud service automatically creates a login suffix for the domain to which the host
computer is joined plus all of the domains that the cloud connector can see. Which domains
can be seen depends upon two criteria:

The trust relationship between the domain controllers.
Only domain controllers with a two-way transitive trust meet this criteria

The cloud connector’s user account permissions.
By default the cloud connector is installed as a Local System user account on the
Windows host. (See “Modifying cloud connector account permissions” on page 218 for
more information.) The permissions you grant to this account can affect its ability to see
other domains.
When Admin Portal searches Active Directory domains for users and groups (for
example, when you are adding a user or group to a role), it only searches the Active
Directory Users container in the domain controllers that can be seen by the cloud connector.
Note
Independent domains in multiple forests
You use this model when the users’ Active Directory accounts are in independent domain
trees or forests; that is, there are domain controllers that do not have a two-way, transitive
trust relationships with each other.
In this model, you have a separate cloud connector for each independent domain tree or
forest. The cloud service picks which cloud connector to use for the authentication request
based on the login-suffix-to-domain mapping it creates and maintains. When the user
account is in the cloud connector’s domain controller, the authentication requests are
Cloud Manager user’s guide
212

Supporting user authentication for multiple domains
handled according to the tree-root, parent-child, forest, and shortcut trust relationship
settings between the domain controllers in that forest or domain tree.
After you install the first cloud connector for each independent domain tree or forest, you
should install one or more on separate host computers for each one. The host computer for
each cloud connector must be joined to the same Active Directory domain controller as the
initial cloud connector for this tree or forest. See “Adding cloud connectors and
administrator consoles” on page 214 for the details.
The cloud service automatically creates a login suffix for the domain to which the host
computer is joined plus all of the domains that the cloud connectors for each independent
domain can see.
When Admin Portal searches Active Directory domains for users and groups (for example,
when you are adding a user or group to a role), it only searches the Active Directory Users
container in the domain controllers that can be seen by the cloud connectors. Which
domains can be seen depends upon two criteria:

The trust relationship between the domain controllers.
Only domain controllers with a two-way transitive trust meet this criteria. When you
configure the trust relationship, be sure to select Forest trust. This establishes a transitive
trust between one forest root domain and another forest root domain. See How Domain
and Forest Trusts Work in Microsoft TechNet for more about trust relationships.

The cloud connector’s user account permissions.
By default the cloud connector is installed as a Local System user account on the
Windows host. The permissions you grant to this account can affect its ability to see other
domains. See “Modifying cloud connector account permissions” on page 218 for more
information.
If you are using this model, use the Samsung SDS CellWe EMM policy service to set mobile
device policies (see “Selecting the policy service for device policy management” on page
201) and cloud service roles to enable users to enroll devices.
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
213

Adding cloud connectors and administrator consoles
Adding cloud connectors and administrator consoles
You use the same Samsung SDS CellWe EMM Cloud Management Suite installer to install
the additional cloud connectors for load balancing and failover and administrator consoles
to manage cloud service users, devices and group policy objects.
About load balancing and failover
You should configure one or more cloud connectors to provide continuous up time for
cloud service services. Each cloud connector you add is listed in Admin Portal on the
Settings page in the Cloud Connectors tab.
The Samsung cloud service provides load balancing among all cloud connectors with the
same services installed. For example, when a request comes in the cloud service routes the
request among the available cloud connectors. If one cloud connector becomes unavailable,
the request is routed among the other available cloud connectors providing automatic
failover.
Installing additional cloud connectors
You use the same procedure to download the installation wizard to the host computer and
then run the wizard to install and register additional cloud connectors. After you install and
register the cloud connector, it is added to the Cloud Connectors page.
The host computer must be joined to the same Active Directory domain controller as
the first cloud connector in the same trust domain or forest.
Note
Creating an cloud service administrator console
You use the same procedure to download the installation wizard to the host computer and
then run the wizard. However, you do not install the cloud connector. Instead, you install
either or both of the console extensions.
Note The host computer must be joined to the same Active Directory domain controller as
the cloud connectors in the same trust domain or forest.
Running the Samsung SDS CellWe EMM Cloud
Management Suite installer
You use the Cloud Management Suite installer to install the Samsung SDS CellWe EMM
cloud connector on the host computer and create administrator consoles. The installer is
included in the Cloud Management Suite package you download from a link provided in
Admin Portal. The package also includes the release notes, license agreement,
documentation, and acknowledgments.
Cloud Manager user’s guide
214

Running the Samsung SDS CellWe EMM Cloud Management Suite installer
Adding a Samsung SDS CellWe EMM cloud connector is a two-phase procedure that you
initiate from Cloud Manager:

You download the Cloud Management Suite package from the link in Cloud Manager to
the computer.

You run the installation wizard to install the software and register the cloud connector to
your Samsung cloud service account.
By default, the cloud connector is installed as a Local System process account on the
host computer. See “Modifying cloud connector account permissions” on page 218 to
determine if this account and its permissions serve your purposes.
Note
Downloading the Samsung SDS CellWe EMM Cloud
Management Suite
You get the Cloud Management Suite package by using Cloud Manager.
To get the Cloud Management Suite package:
1 Log in to the host computer with an account that has sufficient permissions to install the
cloud connector.
2 Open Cloud Manager.
3 Click Settings, select cloud connector, and click Add cloud connector.
4 In the Download pane, click 64-bit.
The download begins.
5 Move the zip file to the folder you want to use and extract the files.
6 Open and read the license agreement.
7 Read through the release notes.
Running the installation wizard
The installation executable is a wizard that guides you through the installation process and
confirms that the cloud connector can communicate with the cloud service.
When the wizard is done, the complete communications infrastructure between the
Samsung SDS CellWe EMM cloud connector and the Samsung cloud service is in place and
the cloud connector is registered in your cloud service account.
Running the Samsung SDS CellWe EMM cloud connector configuration wizard:
1 Double-click the installation program: Cloud-Mgmt-Suite-rr.r-winaa.exe
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
215

Running the Samsung SDS CellWe EMM Cloud Management Suite installer
In the file name, rr.r indicates the release version and aa indicates the processor
architecture (64-bit).
If Microsoft .NET version 4.5 or later is not already installed on your computer,
the installer installs it for you. Restart your computer after .NET installation and then
you can continue the installation of the Cloud Management Suite.
Note
2 Click Yes to allow the installer to make changes to the computer.
3 Click Next in the welcome window.
4 Agree to the licensing terms.
Select the check box to accept the license agreement terms and click Next to proceed to
software installation.
5 Select the components you want to install on this host.
The default is to install all components. Use the following table to determine which
components you need to install.
For all cloud connector configurations, selecting either or both of the Samsung SDS
CellWe EMM tools enables administrators who log in to the host computer to use Active
Directory Users and Computers to manage cloud service users and enrolled devices and
to use Group Policy Management Editor to manage group policy objects. If you want to
limit the use of these tools to administrator consoles, deselect the Samsung SDS CellWe
EMM tools.
Note
After you make your selections, click Next.
Computer purpose
Configuration
Install these components
cloud connector
Single sign-on and mobile
device management support
Use the default setting. This installs all of
the components.
Single sign-on with no mobile
device management support
• Keep Samsung SDS CellWe EMM cloud
connector
• Deselect Group Policy Console
Extension
Mobile device management
with no single sign-on support
Cloud Manager user’s guide
Use the default setting. This installs all of
the components.
216

Running the Samsung SDS CellWe EMM Cloud Management Suite installer
Computer purpose
Configuration
Administrator console For managing cloud service
users and enrolled devices
Install these components
• Keep Active Directory Users and
Computers console extension
• Deselect
Samsung SDS CellWe EMM cloud
connector
Group Policy console extension
For managing group policy
objects
• Keep Group Policy console extension
• Deselect
Samsung SDS CellWe EMM cloud
connector
Active Directory Users and Computers
console extension
6 On the Files in Use window, select the option that is appropriate to your server and
click OK.
To install the cloud connector, some services may need to be shut down.
The wizard proceeds to install the software and start the services.
7 Click Finish.
If you selected just one or both of the console extensions, you are done. The only
components installed are the selected console extensions.
You perform the remaining steps only if you installed the cloud connector. The
remaining steps allow you to configure the cloud connector.
8 Click Next.
9 Enter the user name and password for an account that is a member of the sysadmin role
or one with the Register cloud connectors role permission and click Next.
Click the Advanced button if you need to change the default URL—https://
cloud.samsungemm.com/— for the cloud service. In most cases, you should not change
this address.
Note
10 Enter web proxy configuration (optional).
If your network has a web proxy server that you want to use for the connection to the
Samsung cloud service, select the Use a web proxy server... option.
If you do not have a web proxy server, click Next without selecting the option.
If you selected the web proxy option, enter the following information.
 Address: The URL of the web proxy server.
 Port: The port number to use to connect to the web proxy server.

User name: A user name for an account on the web proxy server.
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
217

Modifying cloud connector account permissions

Password: The password for that account.
This launches a series of tests that ensure that the cloud connector can communicate with
the cloud service. Expand the test if it is not successful to see what went wrong.
11 Click Next.
The wizard proceeds to register the cloud connector in your cloud service account,
initialize the settings, and start the service. This completes installation and registration.
12 Click Finish.
The wizard opens the Samsung SDS CellWe EMM cloud connector configuration
program in another window.
Modifying the default cloud connector settings
You use the Samsung SDS CellWe EMM cloud connector configuration program to modify
the default setting. See “Configuring the Samsung SDS CellWe EMM cloud connector” on
page 256 for the description of each tab and how to modify the default settings.
There are several default settings you may need to change right after you install the cloud
connector:
Setting
Tab
To do this
Enable auto-update
Cloud Connector Configure the cloud connector to automatically
poll the cloud service for software updates and
install them. You can also specify the pollingupdate windows.
Active Directory user
verification interval
Cloud Connector Set the polling period between queries for updates
to active Active Directory user accounts.
Log settings
Logging
After you install a cloud connector, you should
configure the cloud connector to log activities to
help in troubleshooting in case you have any
problems. Go to this tab to enable logging.
Modifying cloud connector account permissions
By default, the cloud connector service is started as a Local System account process. This
account has sufficient permissions for most purposes with the following exceptions:

If you want to give Active Directory users the ability to reset their password from the
administrator or user portal login prompt. This is a policy you have to enable (see
“Enabling forgotten password reset for Active Directory users” on page 111), and it is
intended to let users with Active Directory accounts reset their password if they have
forgotten it when they try to log in.
Cloud Manager user’s guide
218

Modifying cloud connector account permissions
If you want to enable this policy, you can give the Local System account the
ResetPassword permission. Alternatively, you can run the cloud connector under a
different account (if you select this option see “Permissions required for alternate
accounts” on page 219) or provide the user name and password for an account that has
the ResetPassword permission.

If the host computer does not have read access to the container or organizational unit
that stores the user accounts. Without read access, the cloud connector cannot
authenticate the user. Domain computers have this permission by default; however, the
cloud connector host may not. This most often occurs in multi-forest or multi-domain
setups and can occur even when two-way trust is already defined. You can tell when this
occurs—the cloud connector log would show the error message, "unable to locate
forest or user object."
In this case, you need to give the Local System account read access permission to the
containers or organizational units.
If you change the cloud connector’s account or modify Local System account
permissions, be sure to make the same changes on all the cloud connectors you install.
Note
Implementing cloud connector on a member server
To implement the cloud connector on a member server:
1 On a member server, open elevated PowerShell and run the following command:
add-windowsfeature GPMC
2 In Active Directory, create service account for the cloud connector and assign
permissions using instructions in “Permissions required for alternate accounts” on page
219.
3 Install the cloud connector on the member server.
4 Open Services on the cloud connector and change the cloud connector service “run as”
account.
5 Restart the cloud connector service.
Permissions required for alternate accounts
You can also run the cloud connector service as a Domain Admin account or an Active
Directory user account instead of as a Local System account. A Domain Admin account has
all of the required permissions. However, if you run as an Active Directory account, this
account must be a member of the local administrators group, and you must confirm that it
has the following permissions:

At least read permission to the container that has the cloud service user accounts.

A broader set of permissions on the container that has the enrolled device objects.
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
219

Modifying cloud connector account permissions
You designate the enrolled device object organizational unit in the Device Enrollment
Settings—see “Device Enrollment Settings - Enabling users to enroll devices” on page 96.
The following procedures describe how to set the read permission and the permissions for
the Active Directory user account for the container that stores the enrolled device objects.
Repeat the second procedure for every container or organizational unit you use to store the
enrolled device objects.
To set the Read access permission to the user account container:
1 Open Active Directory Users and Computers, select the user account container, and
open the Properties.
2 Select the Security tab and then click Add to add the user account you are using to run
the cloud connector service. Click OK after you add the user account.
3 Click the user account in Group or User Names and click the Allow box for the Read
permission.
4 Click OK.
To set the permissions to the enrolled device object container:
1 Open Active Directory Users and Computers, select the enrolled device object
container, and open Properties.
2 Select the Security tab then the Advanced button to view the Advanced Security
Settings.
3 Click Add to add a new permission entry.
4
Click Object Types and confirm that the object type for your cloud connector is
selected.
5 Click OK.
6 On the Select User, Computer, Service Account, or Group window, enter the first few
characters of the object name into the object name text box then click Check Names.
7 Select the object name for your cloud connector and click OK.
8 Select Allow for the Create Computer objects permission.
9 Click OK.
10 Click Add to add another permission entry.
11 Click Object Types and confirm that the object type for your cloud connector is
selected.
12 Select the object name for your cloud connector and click OK. The Permission Entry for
MobileDevices window opens.
Cloud Manager user’s guide
220

Modifying cloud connector account permissions
13 Click the Allow box for the following permissions on the Object tab:




Write all properties
Delete
Read permissions
All validated writes
14 Click OK on the succeeding windows to exit the Properties configuration windows.
Setting the service connection point (SCP) object permissions
The cloud connector creates a serviceConnectionPoint object when it is started for the first
time after installation. When the cloud connector service is started by the Local System
account, it has Full Control over the serviceConnectionPoint object.
If you use an Active Directory account other than the Local System account, the following
procedure describes how to add the additional permissions required by that user.
To set the permissions for a Service Connection Point (SCP) object for a selected user
account:
1 Open ADSI Edit and open the Properties for the desired SCP object.
The service connection is created when the cloud connector is started for the first time.
If the cloud connector’s name is
CN=MachineA,CN=Computers,DC=domain,DC=com
the SCP object is located in ADSI Edit at the following:
CN=proxy,CN=MachineA,CN=Computers,DC=domain,DC=com
2 Select the Security tab and then click Add to add the user account you are using to run
the cloud connector service. Click OK after you add the user account.
3 Click the user account in Group or User Names and click the Advanced button.
4 Click user account in the Permission entries tab and click the Edit button.
5 In the Object tab, click the Allow box for the Write all properties permission.
The “Apply to” field should be set to This object only. This is often the default. If it is
not, use the drop-down list to change it.
6 Click OK.
7 Click OK on the succeeding windows to exit ADSI Edit.
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
221

Using Active Directory certificates in devices for authentication
Using Active Directory certificates in devices for
authentication
You can use a certificate authority in the Active Directory Certificate Service to generate
user and computer certificates for user and device authentication. In turn, you can use these
certificates for login authentication in the Wi-Fi, VPN, and Exchange ActiveSync server
profiles rather than an account’s user name and password. (See the Wi-Fi, VPN, and
Exchange server profile configuration descriptions in “Mobile device configuration policies
overview” on page 119 for the details.)
This section only applies when you use Active Directory group policy for device policy
management (see “Selecting the policy service for device policy management” on page 201)
or you select Active Directory Certificate Service in Device Policy Management (see
“Selecting the Samsung SDS CellWe EMM policy service” on page 202). If you select the
Tenant Certificate Authority instead, you can skip this section.
Note
To use certificates from your Active Directory certification authority, you must create user
or computer certificate templates on the Windows Certificate Authority server used by the
Samsung SDS CellWe EMM cloud connector. In addition, you need to configure the host
computer for each of your Samsung SDS CellWe EMM cloud connectors so that it can
revoke certificates.
After you create the templates, the certificates are automatically created for the cloud
serviceand then installed by the Samsung cloud service when the user enrolls the device.

If you are using Active Directory group policy for device policy management, you can
select the certification authority when you configure Device Policy Management—see
“Selecting Active Directory group policy” on page 203. If you are using Samsung SDS
CellWe EMM policy service for device policy management and select the Active
Directory Certificate Service, the cloud service uses the default Active Directory
Certificate Services certification authority only.

In many cases, additional server configuration is required before you can use certificates
for authentication. See your server’s documentation for the details.
You need to go to the user certificate template on the Windows Certification Authority server
to confirm that the Domain Users group in Active Directory has the permission to auto-enroll
the certificate. For specific instructions for configuring Exchange 2010 authentication using
PKI, see this Exchange 2010 PKI Authentication Configuration document.
The procedures in this section assume that you have a working Active Directory Certificate
Services certificate authority within your domain and you have sufficient permissions to
modify the settings.
Cloud Manager user’s guide
222

Using Active Directory certificates in devices for authentication
Enabling the enrollment policy to use user and computer
certificates
Before you can use certificates for authentication, you need to set the enrollment policy to
enable automatic enrollment and renewal. The following procedure shows you how to set
the Certificate Enrollment Policy for user and computer certificates in the Default Domain
Policy. However, you can also set them on a group-by-group basis.
To enable computer and user certificate enrollment policies:
1 Open the Group Policy Management plug in on the cloud connector, right-click the
Default Domain Policy, and click Edit.
2 To enable the Certificate enrollment policy for computer certificates expand Computer
Configuration >Policies > Windows Settings > Security Settings and click
Public Key Policies.
3 Double click Certificate Services Client - Certificate Enrollment Policy.
4 In the Configuration Model menu, select Enabled.
5 Click OK.
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
223

Using Active Directory certificates in devices for authentication
6 To enable the Certificate enrollment policy for user certificates expand User
Configuration > Policies > Windows Settings > Security Settings and click
Public Key Policies.
7 Double click Certificate Services Client - Certificate Enrollment Policy.
8 In the Configuration Model menu, select Enabled.
9 Click OK.
Creating the certificate templates
You create either or both certificate user and computer templates on the Active Directory
certificate authority server you selected in the Device Policy Management (see “Selecting
the policy service for device policy management” on page 201). The template or templates
you create must be named as follows, including the uppercase letters:

Computer-ClientAuth

User-ClientAuth
In some cases, you specify in the profile which type of certificate (user or computer) to use
for authentication (for example, the iOS Wi-Fi profile) while others require you to use
either the computer or the user certificate. To simplify profile configuration, we
recommend creating both templates.
You use the Microsoft Management Console (MMC) on the certification authority server
designated in the Samsung SDS CellWe EMM cloud connector to create the templates.
To create computer and user certificate templates:
1 Launch certsrv.msc or the Certificate Authority console on the Windows server with
the certification authority installed.
2 Expand the certification authority, right-click Certificate Templates, and click
Manage.
3 Right-click Computer choose Duplicate Template.
To create the User-ClientAuth template, you right-click User instead and then choose
Duplicate Template.
4 Select Windows Server 2008 and click OK.
5 In the Template display name: text box enter Computer-ClientAuth. (This
automatically fills in the Template name: field too.)
If you are creating the user template, enter User-ClientAuth instead.
6 Set the Validity period: and Renewal period values.
7 Click the Subject Name tab and select Supply in the request.
Cloud Manager user’s guide
224

Using Active Directory certificates in devices for authentication
8 Click the Security tab, select Authenticated Users and select the Enroll permission.
9 On the same tab, select Domain Computers and select the Enroll permission.
10 Click OK and close the Certificate Templates Console.
11 In the MMC, right-click Certificate Templates, click New, and click Certificate
Template to Issue.
12 Click Computer-ClientAuth and click OK.
If you are creating the user template, click User-ClientAuth instead and click OK.
The templates you create should now appear in the Certificate Templates folder.
Revoking certificates for unenrolled devices
The certification authority does not by default revoke certificates for devices when they are
unenrolled. You must give the host computer for the Samsung SDS CellWe EMM cloud
connector the "Issue and Manage Certificates" permission in the certification authority
server to revoke certificates.
You must grant this permission in the certification authority for the host computer for
each of your Samsung SDS CellWe EMM cloud connectors.
Note
To enable certification authority to revoke certificates when devices are unenrolled:
1 Launch certsrv.msc or the Certificate Authority console on the Windows server with
the certification authority installed.
2 Right-click the certification authority and click Properties.
3 Click the Security tab.
4 Click the Add button and select the host computer for the Samsung SDS CellWe EMM
cloud connector.
Make sure the “Computer” object type is selected (click Object Types and select
Computers) and enter the first few characters of the computer name as the search filter
in the Check Names field.
Select the computer and click OK
5 Select the computer from the Group or user names list and set the Issue and Manager
Certificates permission to Allow.
6 Click OK.
7 Repeat this procedure for all of your cloud connector host computers.
Appendix 1 • Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles
225

Uninstalling the Samsung SDS CellWe EMM Cloud Management Suite software
Uninstalling the Samsung SDS CellWe EMM Cloud
Management Suite software
You use the Uninstall command in the Windows Control Panel to remove the cloud
connector and console extensions.
All of the components are installed under the name Samsung Cloud Management Suite
followed by the version number. Uninstalling this program removes all of the Cloud
Management Suite components installed on the computer. You cannot, for example, delete
the cloud connector but leave the console extensions.
If you use just one Samsung SDS CellWe EMM cloud connector, uninstalling the Samsung
SDS CellWe EMM Cloud Management Settings from the Active Directory Control Panel
terminates mobile device policy enforcement. However, if you uninstall the Cloud
Management Suite from one computer but have the Samsung SDS CellWe EMM cloud
connector installed on one or more other computers, service is not interrupted. In this
case, the Samsung cloud service automatically switches to another cloud connector.
To uninstall the Cloud Management Suite software:
1 On a Windows computer on which you installed Cloud Management Suite, close any
open Microsoft Management Consoles, such as Active Directory Users and Computers
and Group Policy Management Editor, that may be using the components.
2 Click Start > Control Panel > (Programs) Uninstall Program, then right-click
Samsung SDS CellWe EMM Cloud Management Suite version.
3 Click Yes when the confirmation message appears.
If no Microsoft Management Console applications are open, the installer finishes and
removes the Cloud Management Suite software. If applications are open, you are
prompted for how to close them.
4 If prompted to close open applications, do the following:

Leave the following option selected and click OK:
Automatically close applications and attempt to restart them after setup
is complete.

If prompted that a Microsoft Management Console application has stopped working,
click Close the program.
The cloud connector and, if also installed, the console extensions are now removed from
your computer. However, a directory and some files will still reside on your computer.
To remove these files, complete the next step.
5 To remove all Cloud Management Suite related files navigate to and delete the
C:\Program Files\samungemm
Cloud Manager user’s guide
folder.
226
Appendix 2
List of device configuration policies
The following tables list the Samsung cloud service device configuration policies. The bulk
of the policies are available whether you use the Windows Group Policy Management
Editor (GPME) or the Samsung SDS CellWe EMM policy service. However, a few policies
may be available in one but not the other.
See the Explain tab in the Windows Group Policy Management Editor or tool tips in Admin
Portal for the details on implementing the policy.

“Understanding licensing” on page 228

“Common Mobile Settings” on page 228

“iOS Settings” on page 231

“Additional iOS Settings” on page 235

“Samsung KNOX Device Settings” on page 236

“Samsung KNOX Workspace Settings” on page 246

“Touchdown Settings” on page 255
227

Understanding licensing
Understanding licensing
The device configuration policies that are available for you to enable and configure are
determined by the licenses that your organization has purchased. If you enable a policy in
either the Samsung CellWe EMM policy service or Active Directory Group Policy
Management Editor and you don’t have the required license, the policy is not installed in
the device.
The following bundle and add-on licenses are available for purchase in KNOX Marketplace:

KNOX Express for IT license (bundle): Provides access to a base set of policies.
You use the Samsung CellWe EMM policy service to create policy sets.

KNOX Premium (bundle): Provides access to all base policies, all Samsung KNOX
Device Settings policies, and base Samsung KNOX Workspace Settings policies.
This license also lets you use either the Samsung CellWe EMM policy service or the
Active Directory Group Policy Management Editor to enable policies.


KNOX Workspace (add on): Provides access to all of the policies in Samsung KNOX
Workspace Settings.
Samsung CellWe EMM IAM (add on): Provides unlimited cross-platform SaaS and
mobile application deployments.
The Samsung CellWe EMM IAM license does not entitle you to use the device
configuration policies.
Note
The following table summarizes the policies that are available with each license:
Policy
Category
KNOX
Express
for IT
KNOX
Premium
KNOX
Workspace
Full
None
Just Exchange Full
ActiveSync
None
Common Mobile Full
Settings
iOS Settings
Samsung KNOX Full
Device settings
Full
None
Samsung KNOX Partial
Workspace
Settings
Partial
Full
Common Mobile Settings
The Common Mobile Settings policies are available to KNOX Express for IT and KNOX
Premium licenses. Note, however, that to set policies using the Active Directory Group
Cloud Manager user’s guide
228

Common Mobile Settings
Policy Management Editor, you must have a KNOX Premium license. Otherwise, you can
set policies through the Samsung CellWe EMM policy service only.
Policy
Description
Enable debug logging
Turn on the debug logging mode on the device.
The Samsung SDS CellWe EMM client supports two logging modes:
regular and debugging. Only limited logs are collected in regular
mode. You set this policy to collect the full range of logs supported.
By default regular mode is enabled.
Encrypt internal onboard
storage
Require device owners to encrypt the storage system on Android
devices.
Notes:
• In Admin Portal this policy is in the Common category.
• When you set Samsung KNOX Workspace Settings/Enable
Common Criteria mode, this policy is enabled for Samsung
Workspace devices, however this setting is not shown in Admin
Portal or Group Policy Management Editor. This allows you to
make a separate setting for other devices.
Wi-Fi Settings
Configure Wi-Fi profiles—Wi-Fi SSID and connection parameters—
for iOS and Android devices.
Passcode Settings
The Passcode Settings policies are available to KNOX Express for IT and KNOX Premium
licenses. Note, however, that to set policies using the Active Directory Group Policy
Management Editor, you must have a KNOX Premium license. Otherwise, you can set
policies through the Samsung CellWe EMM policy service only.
Policy
Description
Auto-Lock (minutes)
Require mobile devices to enforce passcode access.
Grace period for device lock
Require iOS devices to allow a grace period.
For iOS devices, the grace period is the amount of time that a locked
device may be unlocked without entering the passcode.
Maximum number of failed
attempts
Specify the maximum number of failed attempts that are allowed
before the device is locked or wiped.
Note: When you set Samsung KNOX Workspace Settings/Enable
Common Criteria mode, this policy is enabled for Samsung Workspace
devices, however this setting is not shown in Admin Portal or Group
Policy Management Editor. This allows you to make a separate setting
for other devices.
Maximum passcode age (days) Specify the number of days a passcode can exist before it must be reset.
Appendix 2 • List of device configuration policies
229

Common Mobile Settings
Policy
Description
Minimum number of complex
characters
Specify the minimum number of complex characters required for the
passcode.
Minimum passcode length
Specify the minimum number of characters required for the passcode.
Passcode history
Specify the number of passcodes to store and compare against new
passcodes.
New passcodes are not allowed to repeat a stored passcode.
Note: When you set Samsung KNOX Workspace Settings/Enable
Common Criteria mode, this policy is disabled for Samsung
Workspace devices, however this setting is not shown in Admin Portal
or Group Policy Management Editor. This allows you to make a
separate setting for other devices.
Permit simple value
Allow a passcode with simple values (that is, values that use repeating,
ascending, or descending character sequences).
Require alphanumeric value
Require alphanumeric values (that is, values with at least one letter and
one integer).
Require passcode on device
Require mobile devices to enforce passcode access.
Note: You must set this policy for the other passcode policies to be
enforced.
Restrictions Settings
The Restriction Settings policies are available to KNOX Express for IT and KNOX
Premium licenses. Note, however, that to set policies using the Active Directory Group
Policy Management Editor, you must have a KNOX Premium license. Otherwise, you can
set policies through the Samsung CellWe EMM policy service only.
Policy
Description
Allow jailbroken/rooted devices Control whether user can enroll a jailbroken or rooted devices .
Note: This policy is deprecated starting with version 14.10. Instead,
use the Device Enrollment Settings to restrict device enrollment—see
“Device Enrollment Settings - Enabling users to enroll devices” on
page 96.
Permit camera use
Permit user to unenroll device
Control whether user can use the camera and the FaceTime app on
their devices.
Control whether user can unenroll a device.
Note: This policy is only available in the Samsung SDS CellWe
EMM policy service.
Cloud Manager user’s guide
230

iOS Settings
Policy
Permit user to wipe device
Description
Control whether user can wipe device.
Notes:
• This policy is only available in the Samsung SDS CellWe EMM
policy service.
• For iOS devices, this policy applies only to devices with iOS 8 or
later that are configured as “supervised” in Apple Configurator.
• For Android devices, this policy applies only to devices that
support the Samsung KNOX Device SDK version 3.0
(ENTERPRISE_SDK_VERSION_3_0) or later. (The Samsung
KNOX Device SDK version is listed under the Operating System
Settings when you open the device details in Admin Portal.)
Report mobile device location
Display device location in the user portal.
By default, this policy is enabled.
Note: The user must also have device tracking turned on in the device
and in the user portal the default setting).
iOS Settings
The iOS Settings policies except for the Exchange ActiveSync Settings require a KNOX
Premium license.
Policy
Description
Exchange ActiveSync Settings Configure Exchange ActiveSync profile for iOS devices.
Note: You can also use this policy if you have a Samsung CellWe
EMM license.
Per app VPN Settings
Map native applications to a specific VPN connection.
Note: This feature is only available for VPN profiles that use the F5
VPN with certificate based authentication.
Kiosk Mode
The iOS Kiosk Mode policies require a KNOX Premium license.
Appendix 2 • List of device configuration policies
231

iOS Settings
Policy
Description
Allow user to control assistive touch setting
Displays a control to let user adjust assistive touch.
Note: This policy only goes into effect if the
“Enable assistive touch” policy is set.
Allow user to control invert-color setting
Displays a control to let user modify invert color
settings.
Note: This policy only goes into effect if the
“Enable invert colors” policy is set.
Allow user to control voice-over setting
Displays a control to let user adjust voice-over
settings.
Note: This policy only goes into effect if the
“Enable voice-over” policy is set.
Allow user to control zoom Setting
Displays a control to let user adjust the zoom.
Note: This policy only goes into effect if the
“Enable zoom” policy is set.
Enable kiosk mode (Supervised Only)
Puts the device in kiosk (single application only)
mode and lets you select the MDM client or a
specific application to run as the application.
Note: All of the other kiosk mode policies go into
effect only when the policy is enabled.
Device control policies
Disable auto-lock
Disable device rotation
Disable ringer switch
Disable sleep-wake button
Disable touch
Disable volume buttons
Enable Assistive touch
Enable invert colors
Enable mono-audio
Enable speak selection
Enable Voiceover
Enable zoom
Restrictions Settings
The iOS Restriction Settings policies require a KNOX Premium license.
Cloud Manager user’s guide
232

iOS Settings
Policy
Description
Force encrypted backups
Allow devices to back up to iTunes without
encryption.
Force iTunes Store password
Require device owners to enter a password for all
iTunes transactions.
Force limit Ad tracking
Limit device Ad tracking.
Force Siri Profanity Filter (Supervised Only) Allow device to use Siri Profanity Filter.
GPME: Permit access to Airdrop (Supervised Allow users to use AirDrop.
only)
Samsung SDS CellWe EMM policy service:
Permit Airdrop (Supervised only)
Permit access to erotic media of iBookstore
(Supervised Only)
Allow device to access erotic media in iBookstore .
Permit access to Game Center (Supervised
Only)
Allow device owners to access Game Center
Permit access to iBookstore (Supervised
Only)
Allow device owners to access iBookstore.
Permit access to Shared Photo Stream
Allow device owners to access Shared Photo
Stream.
Permit account modification (Supervised
Only)
Allow device owners to modify the account.
Permit adding Game Center friends
(Supervised Only)
Allow device owners to add Game Center friends on
their devices.
Permit app cellular data usage changes
(Supervised Only)
Allow applications to change from wi-fi to cellular
data on device.
Permit automatic diagnostic reports
submission
Allow devices to submit diagnostic reports to Apple
automatically.
Permit automatic sync while roaming
Allow devices to automatically sync while roaming.
This setting applies only to devices that are
configured as ‘supervised’ with Apple Configurator.
This setting applies only to devices that are
configured as ‘supervised’ with Apple Configurator.
This setting applies only to devices that are
configured as ‘supervised’ with Apple Configurator.
Permit device to show Passbook notifications Allow devices to display Passbook notifications
on lock screen
when the device is locked.
Permit explicit music & podcasts
Allow device owners to access explicit music and
podcasts on their devices.
Permit Find My Friends settings modification Allow device owners to enable Find My Friends on
(Supervised only)
their devices.
Permit iCloud backup
Appendix 2 • List of device configuration policies
Allow device owners to back up their devices to
iCloud.
233

iOS Settings
Policy
Description
Permit iCloud document sync
Allow device owners to synchronize documents and
key values to iCloud.
Permit iCloud keychain sync
Allow device owners to synchronize keychain to
iCloud.
Permit iMessage (Supervised Only)
Allow device owners to access iMessage.
Permit in-app purchase
Allow device owners to make in-app purchases.
Permit installing apps
Allow device owners to install apps on their devices.
Permit iTunes Music Store use
Allow device owners to use the iTunes Music Store
on their devices.
Permit screen control center
Allow device to show control center during lock
screen.
Permit lock screen notification view
Allow the device to show Notifications View during
lock screen.
Permit lock screen today view
Allow device to show Today View during lock
screen.
Permit manual configuration file installation Allow the device to install configuration profiles
(Supervised Only)
and certificates interactively.
This setting applies only to devices that are
configured as ‘supervised’ with Apple Configurator.
Permit multiplayer gaming (Supervised
Only)
Allow device owners to play multi-player games on
their devices.
Permit opening managed app documents in
unmanaged apps
Allow device owners to open managed application
documents in an unmanaged application.
Permit opening unmanaged apps documents
in managed apps
Allow device owners to open unmanaged
application documents in managed applications.
Permit Photo Stream
Allow device owners to use Photo Stream on their
devices.
Permit removing apps (Supervised Only)
Allow device owners to remove apps on their
devices.
Permit Safari use
Allow device owners to use the Safari web browser
and set specific options for Safari.
Permit screen capture
Allow device owners to capture screens on their
devices.
Permit Siri use
Allow device owners to use Siri on their devices.
Permit Siri use while device is locked
Allow device owners to use Siri on their devices
while device is locked.
GPME: Permit Touch ID to unlock device
Allow Touch ID to unlock a device.
Samsung SDS CellWe EMM policy service:
Permit fingerprint unlock
Cloud Manager user’s guide
234

Additional iOS Settings
Policy
Description
Permit untrusted TLS prompt
Prompt device owners when their device receives an
untrusted HTTPS certificate.
Permit user-generated content in Siri
Allow device to have user-generated content in Siri.
Permit voice dialing
Allow device owners to voice dial on their devices.
Ratings
Enforce a rating policy, limiting movie, TV show,
and app viewing to the specified rating level.
Additional iOS Settings
These iOS Settings policies require a KNOX Premium license.
Policy
Description
Calendar settings
Configure CalDAV server connection.
Contacts settings
Configure CardDAV server connection.
LDAP settings
Configure LDAP server for searching contacts.
Note: Not available in Samsung SDS CellWe EMM policy service.
Mail settings
Configure POP or IMAP email account profile.
Security and privacy settings
Send application and system crash reports to Apple automatically.
VPN Settings
Set up virtual private network (VPN) connection profiles for iOS
devices.
Appendix 2 • List of device configuration policies
235

Samsung KNOX Device Settings
Samsung KNOX Device Settings
You must have Samsung KNOX Workspace license to use the Samsung KNOX Device
Settings policies. If you do not, policies you enable are not pushed to the device.
All of the policies in Samsung KNOX Device Settings are available with KNOX Express for
IT and KNOX Premium licenses. Note, however, that to set policies using the Active
Directory Group Policy Management Editor, you must have a CellWe EMM license.
Otherwise, you can set policies through the Samsung CellWe EMM policy service only.
Policy
Description
Minimu
m
Device
SDK
version
Notes
Exchange ActiveSync
Settings
Configure Exchange
ActiveSync profiles for
Samsung KNOX devices.
2.0
This policy applies to personal
mode only. You configure
Exchange ActiveSync profiles for
Samsung KNOX containers
separately in the Samsung KNOX
Workspace Settings.
VPN Settings
Configure VPN for Samsung
KNOX Standard devices.
3.0
Do not use this policy for
Samsung KNOX Workspace
devices. Instead, you configure
VPN profiles for Samsung KNOX
workspace devices separately in
the Samsung KNOX Workspace
Settings.
If you enable the "Allow only
IPsec or SSL/TLS VPN
connections" policy, MDM
version 4.0 is required.
APN Settings
Create Access Point Name
profiles
5.0
Use this policy to provision a
device with APNs for enterprise
billing before tying the billing to a
specific APN.
Use the Enterprise Billing policy
to specify the APN.
Wi-Fi Settings
Cloud Manager user’s guide
Configure Wi-Fi connections
on Samsung KNOX devices.
3.0
You create profiles for all KNOX
devices, including KNOX
Workspace devices, in this policy.
236

Samsung KNOX Device Settings
Policy
Description
Minimu
m
Device
SDK
version
Notes
Kiosk Mode
Put device is kiosk mode. When 3.0
the device is in this mode, users
are limited to s specific
application
You can set additional policies
that control multiple windows,
display of the navigation and
status bars, and access to the task
manager when the device is in
kiosk mode.
IMAP/POP Settings
Enable and configure IMAP or 2.0
POP email account on Samsung
KNOX device.
This policy applies to personal
mode only. You configure IMAP/
POP profiles for Samsung KNOX
containers separately in the
Samsung KNOX Workspace
Settings.
Application Management
Policy
Description
Minimu
m Device
SDK
version
Applications blocked based on
permission restriction
Set permission restrictions to block applications.
2.0
Applications that can/cannot show
status bar notifications
Prevent status bar notifications.
3.0
Applications that user can/cannot
install
Prevent installation of applications.
1.0
Applications that user can/cannot
launch
Create blacklist of applications user cannot launch.
2.0
Applications that user can/cannot stop Prevent user from stopping applications.
3.0
Applications that user can/cannot
uninstall
Prevent uninstallation of applications.
1.0
Applications to be added to home
screen
Select home screen applications.
3.0
Applications to be removed from
home screen
Remove home screen applications.
3.0
Change application’s icon
Change the icon for a package.
Permissions for applications
Create blacklist of permissions.
3.0
Widgets that user can/cannot add to
home screen
Specify denied widgets.
3.0
Appendix 2 • List of device configuration policies
237

Samsung KNOX Device Settings
Bluetooth Settings
Policy
Description
Minimum
Device
SDK
version
Bluetooth devices that user can/cannot Allow Bluetooth connection for specific devices.
connect
2.2
Bluetooth features that user can/cannot Select which Bluetooth features users can use.
use
2.2
Bluetooth profiles that user can/cannot Enable Bluetooth profiles.
use
2.0
Enable Bluetooth discoverable mode
Set Bluetooth discoverability mode.
2.0
Enable limited discoverable mode
Limit Bluetooth discovery period.
2.0
Permit data transfer via Bluetooth
Permit data transfer using Bluetooth.
2.0
Permit desktop or laptop connection
via Bluetooth
Allow Bluetooth connection to computer.
2.0
Permit outgoing calls via Bluetooth
headset
Permit outgoing calls from Bluetooth headset.
2.0
Permit pairing with other Bluetooth
devices
Allow pairing with other Bluetooth devices.
2.0
Device Inventory Settings
Policy
Description
Minimu
m Device
SDK
version
Enable logging of call information
Enable logging of call information.
2.0
Enable logging of carrier data usage Enable logging carrier's data network usage.
Enable logging of cellular data
network statistics
Enable logging cellular data network usage.
2.0
Enable logging of SMS
Enable Short Message Service (SMS) logging.
2.0
Enable logging of Wi-Fi network
Enable logging the number of Wi-Fi data bytes
received and sent.
2.0
Time between updates of data
logging
Enable interval period between updates of data log. 2.0
Cloud Manager user’s guide
238

Samsung KNOX Device Settings
Firewall Settings
Policy
Description
Minimu
m Device
SDK
version
Set allow rules
Set allow rules for iptables.
2.0
Set deny rules
Set deny rules for iptables.
2.0
Set proxy rules
Set a proxy rule on iptables.
2.0
Set redirect exception rules
Set redirect exception rules on iptables.
3.0
Set reroute rules
Set reroute rules on iptables.
2.0
Type of network for accessing
Google Play
Set Google Play network rule.
3.0
Passcode Settings
There are several passcode policies labelled “Advanced Settings:” in this table. In the Group
Policy Management Editor they are listed in a separate category and in the Samsung SDS
CellWe EMM policy service descriptions they are in a collapsed list. Changing the settings
in these policies will require all users affected by this policy to change their password
regardless of whether their current password meets the new criteria.
Policy
Description
Minimu
m Device
SDK
version
Enable password visibility
Enable password visibility.
4.0
Enable screen lock pattern visibility
Enable screen lock pattern visibility.
3.0
Exclude external storage for failed
passwords wipe
Exclude external storage when the device is wiped
after the user exceeded the maximum number of
failed password attempts.
4.0
Maximum failed password attempts
for disabled device
Specify the maximum number of failed password
attempts.
2.0
Minimum number of changed
characters in password
Specify the minimum number of changed characters 4.0
required for a new password.
Timeout for password change
enforcement
Specify the maximum time allowed to change a
password.
2.0
Advanced Settings:
Forbidden strings in password
Set strings that are forbidden in the device
password.
2.2
Advanced Settings:
Specify the maximum alphabetic sequence length.
Maximum character sequence length
in password
Appendix 2 • List of device configuration policies
4.0
239

Samsung KNOX Device Settings
Policy
Description
Minimu
m Device
SDK
version
Advanced Settings:
Maximum numeric sequence length
in password
Specify the maximum numeric sequence length
allowed in the password.
2.2
Advanced Settings:
Specify the maximum number of occurrences of a
Maximum occurrences of a character character in the device password.
in password
Advanced Settings:
Password pattern enforcement
2.2
Force the user to enter a password based on a regular 2.0
expression.
Restrictions Settings
Policy
Description
Minimu
m Device
SDK
version
Permit access to manage background Allow the user to synchronize with a server when
data usage
the application is in the background.
2.0
Permit access to the clipboard
Allow editing functions to use the clipboard.
2.0
Permit Android Beam use
Block the use of Android Beam on device.
4.0
Permit audio recording
Disable audio recording.
4.0
Permit Bluetooth access
Permit user access to Bluetooth.
2.0
User or third-party applications cannot enable
Bluetooth access if it is disabled with this policy.
Permit cellular data use
Allow mobile data connections.
2.0
Permit changing wallpaper
Allow the user to change the device wallpaper.
3.0
Permit device as a media player via
USB
Allow using the device as a USB media player.
2.0
Permit expansion of status bar
Allow expansion of the status bar.
3.0
Permit firmware recovery
Allow users to initiate a firmware recovery
operation on the device.
5.0
Permit Google backup
Allow backing up to Google servers.
2.0
Permit home key functionality
Enable home key functionality.
2.0
Permit installation of non-GooglePlay apps
Allow installation of non-Google-Play applications. 2.0
Permit killing an activity when the
user leaves it
Allow killing an activity when the user leaves it
without user interaction.
Cloud Manager user’s guide
4.0
240

Samsung KNOX Device Settings
Policy
Description
Minimu
m Device
SDK
version
Permit microphone use
Allow the user and third-party applications to use
the microphone.
2.0
Permit mock GPS locations
Allow the device to change it's actual longitude and 2.0
latitude readings.
Permit NFC use
Allow the user to change the near field
communication setting in the Settings application.
2.0
Permit power off
Allow the user to power off the devices using the
power button.
3.0
Permit S Beam use
Enable the user to send and receive files using S
Beam.
4.0
Permit S Voice application use
Allow S Voice application use (Samsung personal
assistant).
4.0
Permit safe mode launch
Enable the user to reboot the device in safe mode.
4.0
Permit screen capture
Allow device owners to capture screens.
2.0
Permit SD card access
Enable data access to the SD card.
3.0
Permit sending crash report to
Google
Enable sending a crash report to Google.
3.0
Permit setting a background process Allow setting a background process limit by the
limit
user.
4.0
Permit setting mobile data limit
Allow the user to set the mobile data limit without
user interaction.
2.0
Permit settings changes
Allow changes to Settings applications.
2.0
Permit sharing the clipboard between Allow sharing a global clipboard between
applications
applications.
4.0
Permit stopping system app
Enable the use of force stop button.
4.0
Permit Tethering
Enable the device to share carrier data with another 2.0
device.
Permit upgrading the operating
system (OS) over-the-air (OTA)
Allow user to upgrade the OS via a firmware-over- 3.0
the-air (FOTA) client (for example, Samsung DM or
WebSync DM).
Appendix 2 • List of device configuration policies
241

Samsung KNOX Device Settings
Policy
Description
Minimu
m Device
SDK
version
Permit USB debugging
Allow device debugging through Dalvik Debug
Monitor Server (DDMS) or adb.
2.0
On Samsung KNOX Workspace devices, the
following rules are enforced:
• When a container is created, USB debugging is
automatically disabled and the user cannot change
this setting on the device.
• When the container is removed and this policy is
not configured, the user can change this setting on
the device.
• If the policy is set to allow debugging before the
container is created, debugging is not disabled
after the container is created.
Note: The last rule is enforced differently on T
devices (for example, the Note 4). On these
devices, debugging is always disabled after the
container is created. An admin can override this
setting, however, by re-applying the policy after
the container is created.
Permit USB host storage
Connect any portable USB storage, external HD, or 4.0
Secure Digital (SD) card reader when it is mounted
as a storage drive on the device.
Permit USB mass storage
Allow the user to access USB mass storage.
2.0
This policy blocks any kind of browsing the device
directory through Dalvik Debug Monitor Server
(DDMS).
This policy is deprecated for devices using Android
4.0 or later. Instead, use the Media Transfer Protocol
to enable and disable USB mass storage on the
device.
Permit video recording
Allow using the camera to record videos.
4.0
If video recording is disabled, the device camera is
still available so that user can take pictures and use
video streaming.
Cloud Manager user’s guide
242

Samsung KNOX Device Settings
Policy
Description
Minimu
m Device
SDK
version
Permit VPN use
Allow the user to establish a VPN session.
2.2
When this policy is set to False (GPME) or No
(Samsung SDS CellWe EMM policy service), the UI
for using VPN through the Settings application is
inaccessible.
Permit Wi-Fi use
Enable the Wi-Fi UI setting.
2.0
When set to False, (GPME) or No (Samsung SDS
CellWe EMM policy service) user or third-party
applications cannot enable Wi-Fi access.
When set to True (GPME) or Yes (Samsung SDS
CellWe EMM policy service), the Wi-Fi UI setting
is enabled but WiFi functionality is not
automatically enabled.
Roaming Settings
Policy
Description
Minimu
m Device
SDK
version
Enable roaming cellular data
Enable connection to internet when roaming.
1.0
Enable roaming voice calls
Enable voice calls when roaming.
Enable roaming WAP push
Enable processing WAP PUSH messages.
1.0
Enable sync automatically while
roaming
Enable automatic application "sync'ing" when
roaming
3.0
Description
Minimu
m Device
SDK
version
Security Settings
Policy
Enable enrollment with MDM server Enable enrollment with MDM server.
Appendix 2 • List of device configuration policies
3.1
243

Samsung KNOX Device Settings
Policy
Description
Minimu
m Device
SDK
version
Enable SIM card lock
Enable a SIM card lock and set the PIN number
4.0
Encrypt removable storage
Enable external Secure Digital (SD) encryption if
available.
2.0
Note: When you set Samsung KNOX Workspace
Settings/Enable Common Criteria mode, this policy
is enabled for Samsung Workspace devices,
however this setting is not shown in Admin Portal or
Group Policy Management Editor. This allows you
to make a separate setting for other devices.
VPN Restrictions
Policy
Description
Minimu
m Device
SDK
version
Allow only IPsec or SSL/TLS VPN
connections
Require IPsec or SSL/TLS VPN connections.
4.0
Cloud Manager user’s guide
244

Samsung KNOX Device Settings
Wi-Fi Restrictions
If you have an environment with Wi-Fi profiles defined in Samsung KNOX Device
Settings and Common Mobile Settings, many of the Samsung KNOX Device Wi-Fi
Restrictions policies affect the Wi-Fi profiles from both settings on Samsung KNOX devices.
Note
Policy
Description
Minimu Notes
m Device
SDK
version
Minimum certificate security
level for EAP-TLS networks
Specify the minimum
2.0
certificate security level
for EAP-TLS networks.
For Samsung KNOX devices, this
policy applies to Wi-Fi profiles
defined in Common Mobile
Settings and Samsung KNOX
Minimum security level of
connected Wi-Fi
Specify the minimum
security level.
For Samsung KNOX devices, this
policy applies to Wi-Fi profiles
defined in Common Mobile
Settings and Samsung KNOX
Permit user to add Wi-Fi
networks
Allows users to add Wi- 2.0
Fi networks.
Permit/ user to change the WiFi state
Allows users to modify
the Wi-Fi state.
3.0
For Samsung KNOX devices, this
policy applies to Wi-Fi profiles
defined in Common Mobile
Settings and Samsung KNOX
Permit user to connect
automatically to known Wi-Fi
network
Allows users to connect 4.0
automatically to known
Wi-Fi networks.
For Samsung KNOX devices, this
policy applies to Wi-Fi profiles
defined in Common Mobile
Settings and Samsung KNOX
Permit user to edit Wi-Fi AP
settings
Allows users to modify
Wi-Fi network access
point settings.
2.2
For Samsung KNOX devices, this
policy applies to Wi-Fi profiles
defined in Common Mobile
Settings and Samsung KNOX
Permit user to modify Wi-Fi
setting
Allows users to modify 2.0
Wi-Fi network settings.
For Samsung KNOX devices, this
policy applies to Wi-Fi profiles
defined in Common Mobile
Settings and Samsung KNOX
Permit user to start an open
(non-secured) Wi-Fi hotspot
Allows users to open a
non-secured hotspot.
2.0
4.0
Prompt user to re-enter
Prompts the user to re- 2.0
credentials if WPA/WPA2-PSK enter credentials (WPA/
authentication fails
WPA2 networks only).
For Samsung KNOX devices, this
policy applies to Wi-Fi profiles
defined in Common Mobile
Settings and Samsung KNOX
Show password in the Wi-Fi
network edit dialog
For Samsung KNOX devices, this
policy applies to Wi-Fi profiles
defined in Common Mobile
Settings and Samsung KNOX
Appendix 2 • List of device configuration policies
Shows the password
characters in the Wi-Fi
network edit dialog.
2.0
245

Samsung KNOX Workspace Settings
Policy
Description
Minimu Notes
m Device
SDK
version
Wi-Fi access point setting
Configure Wi-Fi access 2.2
point parameters.
Wi-Fi network blacklist
Specify a blacklist of
Wi-Fi networks.
2.2
Wi-Fi network whitelist
Specify a whitelist of
Wi-Fi networks.
2.2
Wi-Fi networks to block
Specify Wi-Fi networks 2.0
to block.
Samsung KNOX Workspace Settings
You must have Samsung KNOX Workspace license to use the Samsung KNOX Workspace
Settings policies. If you do not, any policies that you enable are not pushed to the device.
Some KNOX Workspace Settings policies are available with KNOX Express for IT and
KNOX Premium licenses. All of the policies are available when you have a KNOX
Workspace license. The tables that follow indicate whether the policy is supported by the
KNOX Express for IT and KNOX Premium licenses.
Some of the following policies in Workspace Settings can be applied to both KNOX version
1 and KNOX version 2 containers. In most cases, setting a KNOX version 2 policy has no
affect on devices with a KNOX version 1 container. Exceptions are mentioned in the Notes
column.
Cloud Manager user’s guide
246

Samsung KNOX Workspace Settings
Policy
Description
Configure applications Configure applications that can
that can sync with
sync with container.
container
Notes
You can configure data synchronization
between personal mode and KNOX mode
for the Contacts and S Planner
applications.
You can also control which
synchronization paths are available to the
user to change. See the “Permit changing
applications that can sync with the
container” policy in KNOX Workspace >
Container > Restrictions.
Enable Common
Criteria mode
Enable the following policies:
The policy settings are implemented on
the device only—they are not indicated in
• Common Mobile Settings/
Encrypt internal onboard storage the Admin Portal policy set or the Active
Directory group policy object. This allows
• Common Mobile Settings/
you to have separate settings for these
Passcode Settings/Maximum
policies for other types of devices.
number of failed attempts
Common Criteria mode puts the target
The number of failed attempts is
device in an operational mode that
set to the value you set in the
enforces the following security features
Enable Common Criteria mode
and policies:
policy for the Samsung devices
• Bootloader blocks KIES download
only.
mode, enforces an integrity check of the
• Samsung KNOX Device
kernel, and self-tests the crypto
Settings/Security Settings/
modules.
Encrypt removable storage
• The device verifies additional signature
Disable the Common Mobile
on firmware-over-the-air (FOTA)
Settings/Passcode Settings/
updates using RSA-PSS signature and
Passcode History policy.
uses FIPS 140-2 validated crypto
module for EAP-TLS wi-fi connections
This policy is only available on the
following KNOX 2 devices: Galaxy S4,
Galaxy S5, Galaxy Note 3, Galaxy
NotePro, Galaxy Note 10.1 and Galaxy
Note 10.1 2014 Edition.
Enable Enterprise
Billing
Enterprise Billing
Enable separate bill generation for To enable enterprise billing, two different
personal and enterprise data usage. Access Point Names (APNs) are
configured on the KNOX device. Personal
data is routed via the default APN and
enterprise data is routed via the dedicated
enterprise APN specified in the policy.
Note: This policy is only available for
KNOX 2.2 devices.
Enable KNOX
container
Enable device to allow user to
create a KNOX container.
Appendix 2 • List of device configuration policies
This policy is available when you have a
KNOX Workspace, KNOX Premium, or
KNOX Express for IT license key.
247

Samsung KNOX Workspace Settings
Policy
Description
Notes
Enable ODE Trusted
Boot verification
Consider attestation state before
decrypting the data partition.
When you enable this policy, applications
cannot decrypt data in the data partition if
attestation fails.
Attestation confirms that the boot loader,
kernel, and system software have not been
tampered with. Attestation is performed
when the user boots the device and
periodically thereafter. The current status
is shown in the device details in Admin
Portal.
This policy is also available with a KNOX
Premium license.
Enable TIMA Key
Store
Consider attestation state before
writing or accessing keys and
certificates.
The TIMA key store is implemented as a
key store provider for the Java Keystore
class. When enabled, it provides
TrustZone-based secure storage for
symmetric keys, RSA key pairs, and
certificates. When you enable this policy,
applications cannot retrieve or write
symmetric keys, RSA key pairs, and
certificates if attestation fails.
Attestation confirms that the boot loader,
kernel, and system software have not been
tampered with. Attestation is performed
when the user boots the device and
periodically thereafter. The current status
is shown in the device details in Admin
Portal.
This policy is also available with a KNOX
Premium licenses.
Require attestation
verification
Consider attestation state before
creating the KNOX container.
When you enable this policy, users cannot
create a KNOX container if attestation
fails.
Attestation confirms that the boot loader,
kernel, and system software have not been
tampered with. Attestation is performed
when the user boots the device and
periodically thereafter. The current status
is shown in the device details in Admin
Portal.
Note: In devices that do not support
attestation, if you set this policy, the user
is not allowed to create a container.
This policy is also available with a KNOX
Premium license.
Cloud Manager user’s guide
248

Samsung KNOX Workspace Settings
Policy
Description
Notes
VPN mode of operation Enable FIPS or non-FIPS
compliance for KNOX VPNs.
Not available in Samsung SDS CellWe
EMM policy service.
VPN Settings
Use this policy to create VPN connection
profiles to be used in the KNOX
Workspace container and device settings.
Configure VPN profiles for
Samsung KNOX Workspace
devices.
This policy is only available with the
KNOX Workspace license.
Container settings
Policy
Description
Notes
Enable Google Apps
Add the Google Play icon to the
KNOX container, install the Google
Maps, Gmail, and Chrome
applications in the container, and let
user install any application from
Google Play in the container.
This policy is only supported on Samsung
Galaxy S5 devices.
Exchange ActiveSync
Settings
Configure Exchange ActiveSync
for Samsung KNOX Workspace
devices.
This policy is available with KNOX
Workspace, KNOX Express for IT, and
KNOX Premium licenses.
IMAP/POP Settings
Enable IMAP or POP email
accounts on enrolled Android
devices with Samsung KNOX.
This policy is available with KNOX
Workspace, KNOX Express for IT, and
KNOX Premium licenses.
Per app VPN settings
Enable automatic VPN log in for
specified applications.
Use this policy to map an application to a
specific VPN connection profile defined
in the VPN Settings.
Use the “Applications that can be
installed” policy to create an application
whitelist and blacklist.
This policy requires a KNOX Workspace
license.
This policy requires a KNOX Workspace
license.
Application Management
The Application Management Settings policies are available only with a KNOX Workspace
license.
Appendix 2 • List of device configuration policies
249

Samsung KNOX Workspace Settings
Policy
Description
Allow applications to be
moved into container
Adds an option to the KNOX Settings application inside the container
that displays the mobile applications installed in Personal mode and
lets the user install them in the KNOX container.
Note: This policy is only supported on KNOX 2 containers.
Application SSO whitelist
Specify which mobile applications are allowed to use the Samsung
KNOX SSO (single sign-on) service.
Notes:
• You do not need to add web applications to this list. This is just for
mobile applications you install in the container that use the Samsung
KNOX SSO Service.
• You do not need to add Samsung SDS CellWe EMM WebApps to
this list if you are using the Samsung cloud service for mobile device
management.
Applications that can be
installed
Creates a whitelist and blacklist of package names to restrict which
mobile applications are allowed and disallowed for installation in the
KNOX container.
Notes
• This policy is only supported on KNOX 2 containers.
• This policy does not apply to applications that are part of the system
image.
• This policy has no effect on applications thar are on the blacklist but
were already installed before the policy was installed.
Applications that can install
other applications
Allow specified applications to install other applications.
Applications that user can/
cannot clear cache
Create list of applications that allow/disallow the user to clear the
cache.
Applications that user can/
cannot clear data
Create list of applications that allow/disallow the user to clear the data.
Applications to be added to
home screen
Select the applications to be displayed on the home screen.
Applications to be disabled
Silently deny use of specific applications.
Browser Settings
The Browser Settings are available only with a KNOX Workspace license.
Cloud Manager user’s guide
250

Samsung KNOX Workspace Settings
Policy
Description
Notes
Enable auto fill setting
Allow any website to autofill
suggestions when a user is filling in
form data on the webpage.
Enable cookies setting
Allow any website to store cookies
related to the website on the device.
Enable force fraud warning
setting
Force the browser to show an
untrusted certificate security
warning to the user.
Enable JavaScript setting
Allow the browser to run JavaScript
code for a website.
Enable popups setting
Allow any website to use pop up
windows.
Enable smart card
authentication
Enable smartcard authentication for You can also enable digital
browser.
signing of emails using a smart
card. See the Samsung KNOX
Workspace Settings Exchange
ActiveSync Settings policy
Container Account Policy
The Container Account Settings policies are available with KNOX Workspace, KNOX
Express for IT, and KNOX Premium licenses.
Policy
Description
Accounts addition blacklist
Specify which accounts are in device account blacklist.
Accounts addition whitelist
Specify which accounts are in device account whitelist.
Email Settings
The Email Settings policies are available with KNOX Workspace, KNOX Express for IT,
and KNOX Premium licenses.
Policy
Description
Permit account addition
Allow user to more email accounts.
Appendix 2 • List of device configuration policies
251

Samsung KNOX Workspace Settings
Policy
Description
Prohibit displaying email using Prevent HTML email messages.
HTML format
Prohibit forwarding email from Prevent email forwarding from specific accounts.
specific account
Firewall Settings
The Firewall Settings policies are only available with a KNOX Workspace license.
Policy
Description
Set allow rules
Set allow rules for iptables.
Set deny rules
Set deny rules for iptables.
Set redirect exception rules
Set redirect exception rules on iptables.
Set reroute rules
Set reroute rules on iptables.
Passcode Settings
There are several passcode policies labelled “Advanced Settings:” in this table. In the Group
Policy Management Editor they are listed in a separate category and in the Samsung SDS
CellWe EMM policy service descriptions they are in a collapsed list. Changing the settings
in these policies will require all users affected by this policy to change their password
regardless of whether their current password meets the new criteria.
The Passcode Settings policies are available with KNOX Workspace, KNOX Express for IT,
and KNOX Premium licenses.
Policy
Description
Enable password visibility
Enable device password visibility.
Maximum failed password
attempt for disabled container
Specify the maximum number of failed password attempts.
Maximum passcode age (days) Specify the number of days a passcode can exist before it must be reset.
Maximum password lock delay Specify in seconds the maximum lock delay that the user can set for the
(seconds)
security timeout in the KNOX Settings.
Minimum number of changed
characters in password
Specify the minimum number of changed characters required for a new
device password.
Minimum number of complex Specify the minimum number of complex characters required for the
characters
device password.
Minimum passcode quality
Cloud Manager user’s guide
Specify the required quality properties for the passcode.
252

Samsung KNOX Workspace Settings
Policy
Description
Minimum password length
On KNOX version 2 containers: Set the minimum length for the
password and PIN used to open the KNOX container.
On KNOX version 1containers: Set the minimum length for the
password used to open the KNOX container.
Passcode history
Specify the number of passcodes to store and compare against new
passcodes. New passwords are not allowed to repeat a stored password.
Advanced Settings:
Specify strings that are forbidden in the device passcode.
Forbidden strings in password
Advanced Settings:
Specify the maximum alphabetic characters sequence length in a device
Maximum character sequence password.
length in password
Advanced Settings:
Maximum numeric sequence
length in password
Specify the maximum numeric character sequence length in a device
password.
Advanced Settings:
Maximum occurrences of a
character in password
Specify the maximum number of occurrences of a character in the
device password.
Advanced Settings:
Require two factor
authentication
Require the user to provide two methods of authentication—fingerprint
plus either PIN, password, or pattern—to open the container. Twofactor authentication is not required to create the container. After the
container is created, the user is prompted to select the second
authentication factor.
Note: This policy is available for KNOX version 2.1 and later devices
with a fingerprint reader only.
Restriction Settings.
The Restriction Settings policies are available only with a KNOX Workspace license.
The following policies are enforced only when the user is in the container. For example, if
you disable the “Permit camera use” policy, users are prevented from using the camera only
when they are in the container. They can still use the camera when they are outside the
container.
To turn off features when users are outside the container use the Samsung KNOX Device
Settings.
Policy
Description
Force secure keypad
Force device owners to use secure keypad.
Permit camera use
Control whether users can use the camera on their device when they are
in the container.
Permit user to delete KNOX
container
Control whether users can delete the KNOX mode container.
Appendix 2 • List of device configuration policies
253

Samsung KNOX Workspace Settings
Policy
Description
Prevent user from changing
app data sync setting
Control whether users can change the data import and export between
personal and KNOX mode for the Contacts and S Planner applications.
You can set the default configuration using the Applications that can
sync with container policy in Samsung KNOX Workspace Settings.
Permit display of share via list Control whether the share via list of applications is displayed.
Permit moving files into the
container
Control whether users can move files from device into the container.
Users open the My Files application on the device to select and then
move the files. The files are moved to the same folder in the container.
Note: This policy is available for KNOX version 2 containers only.
Permit moving files out of the Control whether users can move files from container into the device.
container
Users open the My Files application in the container to select and then
move the files. The files are moved to the same folder on the device.
Note: This policy is available for KNOX version 2 containers only.
Permit screen capture in
KNOX container
Control whether users can capture the container screen.
Note: This policy is available for KNOX version 2 containers only.
Device Settings
The Device Settings policies require a KNOX Workspace license or a KNOX Premium
license.
Policy
Description
Enable audit log
Enable an audit log on the device.
Enable certificate validation
before installation
Enable certificate validation during installation.
Enable revocation check for
application SSL connections
Check for certificate revocation for the specified applications.
Per app VPN settings
Assign a VPN profile to all applications or assign different VPN
profiles to different applications. The VPN connection is opened
automatically when the application is opened.
Note: Use this policy to map applications installed in personal mode
(outside the container) to the VPN profiles. For applications installed in
the container, use the policy with the same name in the Container
Settings category.
Trusted certificate authorities
Cloud Manager user’s guide
Add a list of trusted CA certificates.
254

Touchdown Settings
Touchdown Settings
This policy is available with a KNOX Express for IT or KNOX Premium license. Note,
however, that to set policies using the Active Directory Group Policy Management Editor,
you must have a KNOX Premium license. Otherwise, you can set policies through the
Samsung CellWe EMM policy service only.
Policy
Description
Exchange ActiveSync Settings Configure Exchange ActiveSync profile for Android devices other
than Samsung KNOX devices.
Appendix 2 • List of device configuration policies
255
Appendix 3
Configuring the Samsung SDS CellWe
EMM cloud connector
This appendix explains how to use the Samsung SDS CellWe EMM cloud connector
configuration program to configure and monitor your cloud connector. It covers the
following topics:

About the Samsung SDS CellWe EMM cloud connector and the configuration program

Using the Status tab

Using the Cloud Connector tab

Using the Logging tab
You launch the Samsung SDS CellWe EMM cloud connector configuration program from
the Start menu on the host computer. You modify settings by selecting different tabs in the
window. You can see the tabs in the following figure.
About the Samsung SDS CellWe EMM cloud connector
and the configuration program
The Samsung SDS CellWe EMM cloud connector runs on a host computer and manages
communications between Active Directory/LDAP and the Samsung cloud service. It
specifies groups whose members can enroll devices and a group whose members can
manage devices. It also monitors Active Directory for group policy changes, which it sends
to the Samsung cloud service to update enrolled devices.
Initial configuration of the cloud connector follows installation with the cloud connector
configuration wizard, which launches automatically. To complete the wizard, you must
identify a user group whose members can enroll devices and a container that stores accounts
for enrolled devices. You must also identify a group whose users have permission to manage
enrolled devices and manage the configuration.
The cloud connector configuration application allows you to complete the initial
configuration, if necessary, to make changes, and to configure additional features such as
logging and sending alerts that are set to default values during initial configuration. You can
also run this application to monitor the status of your cloud connector.
You can also monitor cloud connectors by using Admin Portal. However, Admin
Portal only allows you to monitor cloud connectors — it does not allow you to configure a
cloud connector in any way.
Note
The cloud service uses all of the available cloud connectors configured for a service. Each
server has its own cloud connector configuration program that you launch on the computer
256

Using the Status tab
hosting the cloud connector. However, when you make a change to any of the cloud
connectors in an installation (that is, servers registered to the same customer ID), the
changes are propagated to all the servers in the installation to ensure that they are all in
sync.
The Samsung SDS CellWe EMM cloud connector configuration program is installed on any
computer where a cloud connector is installed. You can launch it from the Windows Start
menu. The application appears as a window with tabbed panels:

Status: Shows server name, cloud service customer ID, and cloud service connection
status.


Cloud Connector: Provides cloud connector controls and option settings.
Logging: Enables logging for events associated with cloud service configuration and
user interface and Active Directory Users and Computers console and group policy
management console extensions.
Using the Status tab
The Status tab displays the following read-only information about the cloud connector:

Server name displays the assigned name of this cloud connector.

Customer ID displays the customer ID under which this cloud connector is registered.
You can install multiple cloud connectors using the same customer ID for load balancing
and failover. All active cloud connectors are used by the cloud service.
Do not change this field.
Cloud Connector is started|stopped shows whether the cloud connector is
started (running) or not.
Note


Connection to Samsung cloud service shows the date, time, and result of the last
connection to the Samsung cloud service.
Updating the cloud connector to the latest version.
You use the Status tab to update the cloud connector to the latest version if you do not
enable automatic updates (see the Cloud Connector tab). To manually update the cloud
connector, right-click the update icon in the lower left of the Status tab and select Update.
Using the Cloud Connector tab
The Cloud Connector tab reports the customer ID under which the cloud connector is
registered and whether or not the server is started. It also offers the following controls:

The Re-register button starts the Samsung SDS CellWe EMM cloud connector
configuration wizard and allows you to re-register this cloud connector. Generally, you
Appendix 3 • Configuring the Samsung SDS CellWe EMM cloud connector
257

Using the Cloud Connector tab
re-register the cloud connector under the same customer ID, and then only if the cloud
connector is having difficulty communicating with the Samsung cloud service and
customer support recommends that you re-register to address the issue.
Re-registering under a different ID can destabilize your environment and should be
done only after consulting with customer support. Changing the ID moves the cloud
connector from one installation to another. If the cloud connector is the only server in an
installation, removing the server from the installation will cause any device enrollment
to the installation to fail, and enrolled devices will no longer receive policy changes.
Click Start to start the cloud connector if it’s stopped.
Note





Click Stop to stop the cloud connector if it’s running.
Select Allow support to access local cloud connector logs to give the cloud
service provider the ability to open the cloud connector log files. These files can help
resolve a problem and are the only files the service provider can open. The default is
selected.
Click View Log to view the cloud connector log. Note that this is not the same as the
cloud connector configuration log viewed under the Logging tab. The cloud connector
log is turned on at all times and records all actions taken by the cloud connector. The
cloud connector configuration log is not turned on by default. When it is on, it records
cloud connector configuration activities taken using this application, not the actions of
the cloud connector.
Use the Settings update interval text box to set the number of minutes this cloud
connector takes between checks on cloud connector settings with the Samsung cloud
service.
When any cloud connector in an installation changes its settings, it sends those settings
to the cloud service. When a cloud connector checks settings with the cloud service, if
there were new settings reported from any of the other cloud connectors in the
installation, the checking cloud connector downloads and accepts those settings. This
ensures that all cloud connectors in an installation have the same settings.


Use the Active Directory user verification interval text box to set the number of
minutes this cloud connector takes between checks for active AD user accounts. When
the cloud connector checks Active Directory user accounts, it contacts Active
Directory/to see if the user account listed for each enrolled device is active. If a device’s
associated user account is not active (is disabled or removed), the cloud service
unenrolls the device.
Select the Enable auto-update check box to turn on automatic update for the cloud
connector. When auto-update is on, the cloud connector checks the Samsung cloud
service periodically to see if there is a cloud connector update. If there is, the cloud
connector downloads and installs the update, then restarts. This ensures that cloud
connector software is up-to-date. We recommend that you enable this option. See
Cloud Manager user’s guide
258

Using the Cloud Connector tab
“Configuring the cloud connector to install updates automatically” on page 259 for the
details.

Select Use a web proxy server for Samsung cloud service connection check
box if your network is configured with a web proxy server that you want to use to
connect to the Samsung cloud service. Note that the web proxy must support HTTP 1.1
for a successful connection to the Samsung cloud service. After you select this option,
enter the following information to enable the web proxy connection:



Address is the URL of the web proxy server.
Port is the port number to use to connect to the web proxy server.
Click Credential to enter the user name and password for an account that can log in
to the web proxy server.
Configuring the cloud connector to install updates automatically
You can configure the cloud connector to automatically install updates when new versions
are released. When you select this option, the cloud connector regularly polls the Samsung
cloud service and automatically installs a newer version. If you do not select this option, you
use the Samsung SDS CellWe EMM cloud connector configuration program to check for
and install updates manually.
To configure cloud connector for automatic updates:
1 Click the Windows Start menu and open the Samsung SDS CellWe EMM cloud
connector configuration program.
2 Click Yes to allows this program to make changes to the computer.
3 Click the Cloud Connector tab.
4 Select Enable auto-update.
5 Click the Schedule button to select the times during which the cloud connector can
check for an update.
To set the times when the cloud connector can check for an update (cell is blue), click
“Auto-update Allowed” or “Auto-update Denied” to start with a full or blank slate; click,
drag and release to select an area of cells, and then click “Auto-update Allowed” or “Autoupdate Denied” to set the periods.
6 Click Close.
To check for and install cloud connector updates manually:
1 Click the Windows Start menu and open the Samsung SDS CellWe EMM cloud
connector configuration program.
Appendix 3 • Configuring the Samsung SDS CellWe EMM cloud connector
259

Using the Logging tab
2 Click Yes to allows this program to make changes to the computer.
3 In the lower left of the Status tab, right-click the update icon and select Update.
Right-click the update icon
and select Update to manually
update Cloud connector.
The cloud connector updates and then displays a message indicating that the software is
up to date.
Using the Logging tab
Use the Logging tab to enable logging for events related to the Samsung SDS CellWe EMM
cloud connector configuration program and the Active Directory Users and Computers
console and the group policy editor console extensions.
The application writes three separate log files. Click View Log to see the cloud connector
configuration log, or ADUC log or GPOE log to see the log for these mobile extensions.
Note that the cloud connector configuration log is not the same as the cloud connector log
viewed under the Cloud Connector tab. The cloud connector configuration log reports only
cloud connector configuration actions taking using this configuration application. The cloud
connector log reports actions taken by the cloud connector.
To enable logging:
1 Select Enable logging.
2 Click Browse to browse for a folder in which to write log entries.
Cloud Manager user’s guide
260
Appendix 4
Configuring browsers for silent
authentication
This appendix describes how to modify Settings in Admin Portal to all users with
computers within a specified IP range to log in to the Samsung SDS CellWe EMM user
portal or Admin Portal administrator web portals without entering their credentials.
For silent authentication to work, you must specify a customer ID in the URL to open
the portal. For example, to log in to the user portal the user would enter the following URL:
Note
https://cloud.samsungemm.com/my?customerID=<loginsuffix>
where <loginsuffix> is any of the login suffixes listed in Login Suffixes in Settings in
Admin Portal. For example, if you have a login suffix “acme.com” the user would enter the
following:
https://cloud.samsungemm.com/my?customerID=acme.com
When your organization registered for the Samsung cloud service and you chose an
alternate region or were assigned to an alternate host, you may need to replace https://
cloud.samsungemm.com/ with the appropriate host name. This host name is available in
your browser URL or location field after you log in to either the user portal or Admin
Portal.
Configuring web browsers for silent authentication
For silent authentication to work when logging in to the Samsung SDS CellWe EMM user
portal or Admin Portal, there are a few browser configuration tasks that may be necessary.

Firefox: Either set network.negotiate-auth.allow-non-fqdn to True or add the
cloud connector host name to the network.negotiate-auth.trusted-uris list of
trusted sites (see “Configuring Firefox to allow silent authentication” on page 262).


Internet Explorer: Make sure Integrated Windows Authentication (IWA) is enabled,
and then in most cases silent authentication works without further configuration.
Additional details are included here in case you need to make some configuration
changes (see “Configuring Internet Explorer security zones” on page 263).
Chrome and Safari: in most cases, silent authentication works without further
configuration. Additional details are included here in case you need to make some
configuration changes (see “Configuring Google Chrome on Windows for silent
authentication” on page 265 or “” on page 265)
261

Configuring Firefox to allow silent authentication
Silent authentication works as installed with Windows Firewall. If you are using a
different firewall system, be sure to allow traffic on the port specified in Cloud Connectors
in Settings in Admin Portal. By default, this port is 80.
Note
Configuring Firefox to allow silent authentication
To enable silent authentication for users logging in to the Samsung SDS CellWe EMM user
portal or Admin Portal you need to do one of the following in the users’ browser:

If you did not change the cloud connector host name to a fully qualified domain name
(by default it is not), you set the network.negotiate-auth.allow-non-fqdn
Preference Name to true.
By default, the host name used by the Samsung cloud service uses the format of
http://hostname, where hostname is the host name of the cloud connector.
If you did change the cloud connector host name to a fully qualified domain name, you
need to add the fully qualified domain names for the cloud connector host computers to
the network.negotiate-auth.trusted-uris Preference Name.
Note

You can add the fully qualified domain names as a —for example, mycompany.com (do not
enter a character)—or list each one individually. Listing them individually is more
secure. However, you must remember to add the fully qualified domain name every time
you add a new cloud connector host.
To configure silent authentication in Firefox using network.negotiate-auth.allows-nonfqdn:
1 Open Firefox.
2 Type about:config as the target URL.
3 Type neg in the Filter field.
4 Select network.negotiate-auth.allow-non-fqdn. If it is set to false, right-click and
select Toggle. If it is already set to true, do not change it.
5 Close the about:config tab and close Firefox.
To configure silent authentication in Firefox using network.negotiate-auth.trusteduris:
1 Open Firefox.
2 Type about:config as the target URL.
3 Type neg in the Filter field.
4 Select and right click network.negotiate-auth.trusted-uris and select Modify.
Enter a comma-separated list of the fully qualified domain name for each cloud connector
as string values, then click OK.
Cloud Manager user’s guide
262

Configuring Internet Explorer security zones
For example, if you have two cloud connectors—hosta.mycompany.com and
hostb.mycompany.com—you click Modify, enter the following and click OK.
hosta.mycompany.com,hostb.mycompany.com
The less-secure alternative would be to enter just the domain name. For example, you
would click Modify, enter the following and click OK.
mycompany.com
5 Close the about:config tab and close Firefox.
Configuring Internet Explorer security zones
For users to be authenticated silently when they use Internet Explorer to open the Samsung
SDS CellWe EMM user portal or Admin Portal two conditions must be met:

Internet Explorer must have integrated Windows authentication enabled. For details,
see “Enabling Integrated Windows Authentication” on page 264.

If you are using a fully qualified domain name (FQDN) URL, the cloud connector must
be in the local intranet Internet Explorer security zone or explicitly configured as
part of the local intranet security zone.
For Internet Explorer, a server is recognized as part of the local intranet security zone in
one of two ways:

When the user specifies a URL that is not a fully qualified DNS domain name. For
example, if you access an application with a URL such as http://acme/index.html,
Internet Explorer interprets this as a site in the local intranet security zone.
By default, the cloud connector host name is not a fully qualified DNS domain
name. The Samsung cloud service uses the format of https://hostname, where
hostname is the host name of the cloud connector.
When the user specifies a URL with fully qualified name that has been explicitly
configured as a local intranet site in Internet Explorer (see instructions below). For
example, if you access an application with a URL such as http://acme.mycompany.com/
index.html, Internet Explorer interprets this as a site that is not part of the local
intranet unless the site has been manually added to the local intranet security zone.
Note

Depending on whether users log on to Web applications using a local intranet URL or a
fully-qualified path in the URL, silent authentication may require modifying the local
intranet security zone in Internet Explorer.
Appendix 4 • Configuring browsers for silent authentication
263

Configuring Internet Explorer security zones
Enabling Integrated Windows Authentication
Use the following procedure to enable silent authentication on each computer.
To enable Integrated Windows Authentication for Internet Explorer:
1 Open Internet Explorer and select Tools > Internet Options
2 Click the Advanced tab.
3 Scroll down to the Security settings.
4 Check the Enable Integrated Windows Authentication box.
5 Restart Internet Explorer.
Adding a web site to the local intranet security zone
By default, the Samsung SDS CellWe EMM cloud connector host name is not a fully
qualified domain name. When this is the case, you do not need to add the URL—https://
hostname—to the local intranet, and users get silent authentication when they log in to the
Samsung SDS CellWe EMM user portal or Admin Portal.
However, if you change the cloud connector host name to a fully qualified domain name,
you need to add the cloud connector host FQDN URL (https://hostname.domain.com) in
each user’s Internet Explorer Local Intranet before they can get silent authentication.
To add the cloud connector host FQDN URL to the Internet Explorer local intranet:
1 Open Internet Explorer and select Tools > Internet Options
2 Click the Security tab.
3 Click the Local intranet icon.
4 Click Sites.
5 Click Advanced.
6 Type in the URL https://hostname.domain.com in the text box and click Add. Then
click Close.
Note
If there is a URL in the text box already, either delete it our click Add to save it.
7 Click OK to accept the local intranet configuration settings, then click OK to close the
Internet Options dialog box.
Cloud Manager user’s guide
264

Configuring Google Chrome on Windows for silent authentication
Configuring Google Chrome on Windows for silent
authentication
In most cases, silent authentication works for Google Chrome without additional
configuration, if the cloud connector host name is available in your DNS.
Appendix 4 • Configuring browsers for silent authentication
265
Appendix 5
Re-enrolling a device in domains with a
different customer ID
If your organization has multiple customer IDs in the same forest, you might encounter a
situation in which users cannot unenroll a device from one domain and then enroll it in
another. When they try to enroll it in the new domain, they get the message, ‘A transaction
with the server at <server name> has failed with the status “403”.’
This situation can occur when you have multiple cloud connectors, each with a different
customer ID, and each cloud connector uses a different Active Directory container to store
the device object. There are a couple of common situations in which this can occur:

When you have a test and production deployments each in a separate domain and each
domain has a separate cloud service customer ID.

When your organization has different divisions—for example, a North America and
APAC division—with separate domains and cloud service customer IDS.
The administrative problem is this: the same device cannot have separate objects in two
different organizational units within the same forest. This is a problem because unenrolling
a device does not delete it from the organizational unit. When the user unenrolls a device,
the cloud service just changes the state from “enrolled” to “unenrolled.”
To allow the user to enroll the same device in another domain with a separate customer ID
an administrator needs to do one of the following:

Grant the destination cloud connector permission to move or remove objects (in this
case, the device object) in the original cloud connector’s organizational unit.


Manually delete the device object from the original cloud connector organizational unit
when the user unenrolls the device. You can do this in Active Directory or using Admin
Portal. When the user enrolls the device the next time, the cloud service creates a new
object in the destination organizational unit when the user enrolls the device.
Manually move the device object from the original cloud connector organizational unit
to the destination after the user unenrolls it. When the user enrolls the device the next
time, the cloud service updates the state to enrolled device in the destination
organizational unit.
266
www.sds.samsung.co.kr
copyright ⓒ 2015 Samsung SDS Co., Ltd. All rights reserved.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement