Data flow: Activating a device to use 

KNOX Workspace

 You perform the following actions:

Add a user to 
BlackBerry UEM
 as a local user account or using the account information retrieved from your company directory.
Make sure the "
Work and personal - full control
 (
Samsung KNOX
)" or "
Work space only
 - (
Samsung KNOX
)" activation type is assigned to the user.
Instruct the user to download and install the 
BlackBerry UEM Client
.
Use one of the following options to provide the user with activation details:
Automatically generate a device activation password and send an email with activation instructions for the user
Set a device activation password and communicate the username and password to the user directly or by email
Communicate the 
BlackBerry UEM Self-Service
 address to the user so that they can set their own activation password

The user performs the following actions:

Connects to your work 
Wi-Fi
 network
Downloads and installs the 
UEM Client
 on the device
Opens the 
UEM Client
 and enters the email address and activation password

The 

UEM Client

 establishes a connection with 

BlackBerry UEM

 and sends an activation request to 

BlackBerry UEM

. The activation request includes the username, password, device operating system, and unique device identifier.

BlackBerry UEM

 performs following actions:

Inspects the credentials for validity
Creates a device instance
Associates the device instance with the specified user account in the 
BlackBerry UEM
 database
Adds the enrollment session ID to an HTTP session
Sends a successful authentication message to the device

The 

UEM Client

 creates a CSR using the information received from 

BlackBerry UEM

 and sends a client certificate request to 

BlackBerry UEM

 over HTTPS.

BlackBerry UEM

 performs the following actions:

Validates the client certificate request against the enrollment session ID in the HTTP session
Signs the client certificate request with the root certificate
Sends the signed client certificate and root certificate back to the 
UEM Client

The 

UEM Client

 requests all configuration information and sends the device and software information to 

BlackBerry UEM

.

BlackBerry UEM

 stores the device information in the database and sends the requested configuration information to the device.

The 

UEM Client

 determines if the device uses 

KNOX Workspace

 and is running a supported version. If the device uses 

KNOX Workspace

, the device connects to the local 

Samsung

 KLM server and activates the 

KNOX

 management license. After it's activated, the 

UEM Client

 applies the 

KNOX

 MDM and 

KNOX Workspace

 IT policy rules.

The device sends an acknowledgment to 

BlackBerry UEM

 that it received and applied the configuration information. The activation process is complete.