This week is all around another Android Enterprise related subject. This week is about the additional configuration layer that is also known as OEMConfig. OEMConfig provides OEMs with the capabilities of building an additional configuration layer on top of the configuration layer that is provided out-of-the-box via the Android Management API. That provides Microsoft Intune with the possibility to implement support for OEMConfig and that provides the OEM with the possibility to implement additional configuration options via OEMConfig. That enables the OEM to quickly introduce new features, without having to wait on Microsoft Intune to introduce those new features. In this post I’ll start with a further introduction to OEMConfig, followed with an example of using OEMConfig. In that example I’ll use the Samsung Knox Service Plugin (KSP) app to show how that can be used to add additional options on top of the configuration options that are already available within Microsoft Intune. I’ll end this post by having a look at the end-user experience of that example.
Introduction to OEMConfig
OEMConfig provides an additional configuration layer on top of the Android Management API. That might sound like a contradiction with the initial thoughts about Android Enterprise. The initial thoughts were that Android Enterprise would solve all the different configuration options that became available for Android Device Administrator via the different OEMs. That’s, however, not really what Android Enterprise provides. Android Enterprise provides the basic management APIs and OEMs can utilize OEMConfig to build on top of that. The big difference, however, is that it’s now standardized by Google. OEMConfig is defined on a similar configuration standard as AppConfig. The OEM creates an app that uses app configuration to configure OEM specific configurations. That enables Microsoft Intune to implement the basic management options that are available via the Android Management API and on top of that to implement support for the OEMConfig standard, to be able to support all the settings that are available via the Android Management API and all the settings that are available via the different OEMs. With the support of Microsoft Intune for OEMConfig that means the following flow from the OEM API to the configuration on the Android device.
- The OEM develops their own API on top of the Android Management API
- The OEM develops their own OEMConfig app that supports their own API
- The OEM publishes their own OEMConfig app in the Google Play Store
- The IT administrator uses Microsoft Intune to approve and distribute the OEMConfig app
- The IT administrator uses Microsoft Intune to configure the available settings via the OEMConfig app
- The users provisions and configures their Android device via Microsoft Intune
- Microsoft Intune pushes the OEMConfig app via the Managed Google Play Store
- Microsoft Intune pushes the configuration to the OEMConfig app
Note: Keep in mind that this is a continuous flow (with exception of step 4,6 and 7). When the OEM provides new settings via their API (and their OEMConfig app), Microsoft Intune will be able to configure those settings with the updated version of the OEMConfig app.
Distribute and configure the Samsung Knox Service Plugin app
As an example, let’s have a look at the Samsung Knox Service Plugin (KSP) app. The KSP app enables IT administrators to use (a subset of) the Knox Platform for Enterprise (KPE) features as soon as those features are available. In this case, the KSP app (OEMConfig app) interfaces with the KPE APIs (the OEM API). The KSP app can be used with OEMConfig in Microsoft Intune to do additional configurations, or basic configurations that are not yet available via Microsoft Intune, on Samsung devices. The required actions within Microsoft Intune are described below.
Note: Keep in mind that the Samsung KSP app is just an example. Many more OEMs provide OEMConfig apps nowadays. The list of supported OEMConfig apps in Microsoft Intune can be found here.
Approve and distribute the Samsung Knox Service Plugin app
The first action is to approve and distribute the KSP app. The KSP is published in the Google Play Store and can be approved and distributed by following the next seven steps.
- Open the Microsoft Endpoint Manager admin center portal navigate to Apps > All apps > Android to open the Android | Android apps blade
- On the Android | Android apps blade, click Add to open the Select app type page
- On the Select app type page, select Managed Google Play app as App type and click Select to open the Managed Google Play page
- On the Managed Google Play page, search for the Knox Service Plugin app, select the app and click Approve to open the Permissions dialog
- On the Permissions dialog, click Approve to open the Approval settings dialog
- On the Approval settings dialog, select Keep approved when app requests new permissions click Done
- Click Sync (as shown in Figure 3) to synchronize the approved app to Microsoft Intune
Configure the Samsung Knox Service Plugin app
The second action is to configure (some of) the available options of the KSP app. This requires the first action to be successfully completed, as the KSP app must be available within Microsoft Intune to continue with the configuration. To show the added value of OEMConfig, the example configuration will be focused on the new Android Enterprise Corporate-Owned devices with Work Profile deployment scenario. At this moment that deployment scenario doesn’t provide the ability to prevent data sharing between the Work Profile and the personal profile, while the KSP app does provide that ability. Besides that, the configuration will customize the device to clearly show that OEMConfig was used. The following eight steps walk through the process of creating and assigning that OEMConfig configuration profile.
- Open the Microsoft Endpoint Manager admin center portal navigate to Devices > Configuration profiles to open the Devices | Configuration profiles blade
- On the Devices | Configuration profiles blade, select Create profile to open the Create a profile page
- On the Create a profile page, provide the following information and click Create
- Platform: Select Android Enterprise
- Profile: Select OEMConfig
- On the Basics page, provide the following information and click Next
- Name: Provide a valid name for the OEMConfig configuration profile
- Description: (Optional) Provide a valid description for the OEMConfig configuration profile
- OEMConfig app: Click Select an OEMConfig app and select the Knox Service Plugin app and click Select
- On the Configuration settings page, provide the following information and click Next
- On the Knox Service Plugin settings section, provide the following information (see Figure 2) and click on Configure with Work profile policies (Profile Owner)
- Profile name: Provide a valid unique name for the profile to recognize the settings of this profile
- KPE Premium or Knox Suite License key: Provide a KPE Premium license key or a Knox Suite license key to provide support for the premium features that are available
- Debug mode: Select true to enable debug mode and show the KSP app for viewing debug information
- On the Work profile policies (Profile Owner) settings section, provide the following information (see Figure 3) and click on Configure with Work profile configuration (Premium)
- Enable work profile policies: Select true to enable the Work Profile policies
- On the Work profile configuration (Premium) settings section, provide the following information (see Figure 4), return to Work profile policies (Profile Owner) section and click on Configure with RCP policy (Premium)
- Enable work profile configuration controls: Select true to enable the Work Profile configuration controls
- Allow adding apps from personal space to work profile: Select false to prevent installing apps from the personal space to the Work Profile
- Customize work profile tab name: Provide a custom name for the Work Profile tab on the home screen and the device settings to clearly show that OEMConfig is applied
- Customize personal tab name: Provide a custom name for the personal tab on the home screen and the device settings to clearly show that OEMConfig is applied
- On the RCP policy (Premium) settings section, provide the following information (see Figure 5)
- Enable RCP Policy Controls: Select true to enable the RCP policy controls
- Allow moving files from personal space to work profile: Select false to prevent moving files from the personal space to the Work Profile
- Allow moving files from work profile to personal space: Select false to prevent moving files from the Work Profile to the personal space
- Enable RCP data sync policy (Configure profiles below): Select false to disable the RCP data sync policy
- Enable Sharing of Clipboard Data to Owner: Select false to prevent the sharing of the clipboard data
Important: The settings with premium in the postfix of the name, require additional Samsung licensing.
Note: At some point in time the data moving and sharing settings will probably become available in a device restrictions policy without the need of an OEMConfig.
- On the Scope tags page, configure the applicable scope tags and click Next
- On the Assignments page, configure the assignment by selecting the applicable group and click Next
- On the Review + create page, review the configuration and click Create
End-user experience with the Samsung Knox Service Plugin app
Now let’s end this post by having a look at the end-user experience. The best method to test the end-user experience after applying the configurations that are applied via the KSP app, is by having a look at a few screens. Below in Figure 6 is an example of the customization. The personal space and the Work Profile are renamed, to clearly show that the OEMConfig is applied. Below in Figure 7 and 8 are examples of the clipboard sharing. The clipboard items of the personal space are available in the Work Profile (Figure 8), but the clipboard items of the Work Profile are not available in the personal space (Figure 7).
Below in Figure 9 and 10 are examples of the file separation. The screenshot of the clipboard in the personal space, is only available in the files of the personal space (Figure 9) and the screenshot of the clipboard in the Work Profile, is only available in the files of the Work Profile (Figure 10). The best part of that separation isn’t even available in the screenshot, as the best part is that it’s also not allowed to move the file from personal space to the Work Profile or from the Work Profile to the personal space. Below in Figure 11 is an overview of the OEMConfig that is applied via the KSP app.
Note: Make sure to test the behavior across multiple devices and multiple versions of Android, in combination with the required Android Enterprise deployment scenario. I’ve seen differences in behavior across devices and Android versions, especially in combination with Android Enterprise Corporate-Owned devices with Work Profile. Sometimes even just after waiting some time.
For more information around Android Enterprise and the use of OEMConfig, have a look at the following docs.
17 thoughts on “Android Enterprise and Microsoft Intune: And the additional configuration layer”
Great stuff about this part.
Is there also an option to remove some samsung stuff like Login to Samsung account?
I tried to remove that with intune policys and removing apps from device. But somehow that option is still open.
What Android Enterprise enrollment are you using?
Full managed, by intune.
We are using Samsungs, but i want to have a clean Samsung without to many Samsung stuff like Samsung Login, Themes etc…
At settings, i cant remove the Samsung Acccount.. I can disable it.. But not deleting it.
So i hope you have an idea if its possible to remove it.
Are you also using Samsung KME? If so, you can also use that already to disable the system applications during the out-of-box-experience.
Yes i use Samsung KME, but i did disable the system apps. But i still have them Samsung Account option when i go to Settings. I can also disable it in Intune, but i prefer to not see it on a work phone.
Apologies for the late reply, as I was enjoying my vacation. Not sure if there are any other options to completely remove that. You might want to check with Samsung.
do i need to publish the Samsung Knox Service Plugin app to the devices / users to get this to work?
If you are looking at OEMConfig for Samsung devices, than the answer is yes.
Is it also possible to expand this article with how to configure buttons with this plugin?
I know its possible, but still didnt found any good article about it how to configure it right.
Apologies for the late reply, as I was enjoying my vacation. Not sure if it’s even possible to reconfigure the physical buttons. What type of device are you referring to?
I cant delete it, but can Disable Application without user interaction.
Disable Application without user interaction
com.osp.app.signin, com.samsung.android.themestore, com.samsung.android.bixby.service, com.samsung.android.smartmirroring, com.samsung.android.fmm , com.samsung.android.fmm, com.samsung.android.app.cocktailbarservice,com.samsung.android.app.dressroom
So these settings are disabled in the settings menu from a Samsung Smartphone.
Is this a working configuration for you, or are you still looking for steps to configure this?
i still would like to use android zero touch enrollment and use intune as mdm. i only want to use the knox service plugin that requires premium license to configure some premium settings for samsung devices.
all i need is to create a generic work account and sign up knox portal and samsung account and buy premium license from there? i do not wish to use samsung knox as mdm and devices continue to import to android zero touch portal by resellers.
Apologies for the late reply, as I was enjoying my vacation. You don’t even need to buy a premium license anymore for most functionalities.
thanks for the reply. oh, i was trying to configure ‘show location control’ which requires premium license.
by the way , do you recommend to register samsung knox account using employee work account or generic work account because not sure if will affect samsung knox account when employee left the company if use to register.
You can just create a Samsung account and request that premium license. The best would indeed to use a more generic account, to prevent that exact challenge with employees leaving.