- Knox Manage (KM)
- Android 9 and higher
This article provides issue details on why some Android 9 and higher devices managed by KM are not receiving device commands after they are rebooted, and guides you through the steps on how to configure the Strong Protection and direct boot command polling interval settings.
Samsung devices running Android 9 and higher have the "Strong Protection" feature, which encrypts your device's data. While this feature is available from Android 7, its security has been enhanced in Android 9. You can find the Strong Protection feature on your device by following the steps below:
- On your device, go to Settings > Biometrics and security > Other security settings.
- Select Strong protection.
By default, Strong Protection is enabled. If you restart your device without unlocking it, only a few services are granted permission to run (e.g. alarm clock, SMS, calls). Any other services, including UEM agents, cannot run until the device is unlocked. As a result, the KM agent is unable to receive commands from the server until you unlock the device after reboot.
Included in the KM v20.2 client update, Direct Boot Support allows many KM device commands and policies to be applied to your device even if it is in a locked state (i.e. not unlocked since it was last powered on). The following KM device commands can run in Direct Boot mode:
- Unenroll (AE Only)
- Update Profile
- Event (Trigger)
- Factory initialization & SD Card initialization
- Factory initialization
- Initialize Knox Password
- Delete Knox
- GetDeviceCommand (internal)
KM now periodically checks if your device is in a locked state after reboot. You can change this polling interval by following these steps:
- From your KM console, navigate to Settings > Basic Configuration > Device > Direct boot command polling interval for Android (min).
- Configure the time interval as desired.
While you can disable Strong Protection through Settings > Biometrics and security > Other security settings > Strong protection to ensure that the KM agent receives the device commands, we do not recommend this method as your device's data will be unencrypted.
To avoid potential security vulnerabilities, please update your KM client to v20.2 instead.
- For more information about Android's implementation of Direct Boot, see the Android Developer documentation.
- To learn more about KM's direct boot command polling interval feature, see the KM admin guide.