What did you mean by "get locked out"?  If you don't have the password, you of course cannot access the data in the folder.  Even if you can blacklist the Secure folder,  you still can't access the data, nor remove the folder (i.e. free up storage space) from your file-system.   However, end-user should be able to freely do anything with any app items not in the secure folder/workspace.  

I don't have any Samsung S7 device to confirm, but based on tests on S6 and S9, I believe the Knox Workspace you referred to actually is the Samsung Secure Folder app with bundle ID  com.samsung.knox.securefolder.  If so, you can definitely blacklist such app with the bundle ID, which I have successfully completed in my tests a moment ago.  

If you are referring to something else, please check the "Installed Application" tab of the device on your web console and locate the item "Samsung Knox Workspace" as you mentioned in your post.  See if you can blacklist the corresponding Bundle ID with application-run-control configuration in a profile.

Hi Raymond,

Thank you for your response. The Workspace app will actually lock all access for the end-user to the phone itself. 

The only way that I have found prior to your suggestion is to wipe the phone and then turn off the permissions to the app from being able to "Appear on Top".

I will try your suggestion to blacklist the com.samsung.knox,securefolder.

I will let you know if it is successful.

Thank you again for your help!

I am new to this whole MDM thing so please bear with me ;).

Here are the samsung apps that I am trying to blacklist.

The phone that I have in the testing area of our Hierarchy where this profile is being applied is not allowing the apps to be removed.

The only thing I can assume is that I am not performing the blacklist operation properly.

Please advise.

Thanks

Richard

As said earlier, I don't have any Samsung S7 with me, nor do I know exactly what was done in "Settings"  to activate your so-called Samsung Workspace.   Thus, I'm more or less in the dark based on your very brief information supplied so far.   Depending on which Samsung KNOX product you are using, if your "Samsung Workspace" has been granted administrator permission, it is totally possible that the app cannot be blacklisted by MobiControl even if you configure the ARC profile configuration properly.  (In my test on S6 with the Samsung Secure Folder app on Android+ platform, I was able to use ARC blacklist to exclude the app from being run, though the storage occupied cannot be claimed back).) 

What is the Android firmware version of your device? What about the active MDM API's reported by the device agent orby your web console?

Another strange thing is that Samsung Workspace is supposed to be an additional  KNOX container that hold secured information for BYOD use-case, and having it enabled should not result in your whole device being locked out as you said.  What MobiControl profile(s) did you deploy to your problematic devices?  Did you enable lockdown-menu/kiosk mode?  What about "enabling secure startup" in your device's  "Settings"?

What warning/error message or other thing(s) on the device/web-console gave you the idea that the ARC profile being applied was not allowing the apps to be removed?   How did you get the seven bundle ID's included in your ARC blacklist?  Have you actually checked the "Installed application" tab  associated with your device to check what is the bundle ID of your "Samsung Workspace app" on the device?  What is the version of the app?  Are you using free or paid version of this Samsung KNOX-based app? 

Hi Raymond,

Thank you again for your assistance. You pointed me in the right direction. I have only been using this MDM for a month or so, so I am not really familiar with some of the questions you are asking. I am learning as I go ;).

You helped my track down the bundle for the Samsung Knox Workspace. On the Samsung Galaxy S7's it is located within this bundle: com.samsung.android.knox.containeragent

Blacklisting this bundle has successfully removed the Workspace app from the devices.

I will look into more of what you had mentioned in your previous post to see if there is anything within our standard configuration profile that may be affecting this.

Thank you again fro your assistance Raymond!