SOTI Pulse Logo

Not all Knox Service Plug-in (KSP) Policies applied to Samsung Galaxy Tab A7 Lite (SM-T227U); All Files Access and Notification Access not being granted to MobiControl Device Agent

S
Shawn
IMC Companies MSP

Hi all,

I'm using Samsung Knox Service Plug-in (KSP) to push policies to our fleet of 2 device types below:

Samsung Galaxy Tab A7 Lite (SM-T227U).
Samsung Galaxy Tab A9+ (SM-X218U).

I followed the steps outlined in these 3 articles to grant Special Access Permissions to SOTI MobiControl and the Files by Google app, but have not seen all policies succesfully apply to the Tab A7 Lite.

https://docs.samsungknox.com/admin/knox-platform-for-enterprise/knox-service-plugin/kbas/kba-1261-grant-special-permissions-for-an-app/

https://docs.samsungknox.com/admin/knox-platform-for-enterprise/knox-service-plugin/kbas/kba-1151-policies-not-applying-after-installation-on-device/

https://discussions.soti.net/articles/000002579

All policies are being applied to the Tab A9+, but only some policies are applied to the Tab A7 Lite. I pushed KSP via Managed Google Play, and have tried pushing the configuration policies in both the Managed App Config page and the Profiles section using OEMConfig for Samsung. I have entered valid Knox Platform for Enterprise (KPE) license keys, and yet I'm not sure why all policies don't take effect on the Tab A7 Lite. In debug mode, the Knox Service Plug-in app states all policies have applied successfully, or that the latest policies have already been applied, and yet this isn't true as the special access permissions aren't turned on for MobiControl, one of the policies I configured. I have sent logs, including Configuration Results, Received Policies, and dump state device logs to Samsung support, but no one has been helpful so far. Battery restriction shows as unrestricted when I followed the steps in Samsung's knowledge base. I also don't receive any errors of any kind in the KSP app while debug is on. It only says that all policies have successfully been applied, even though they have not upon checking after, so I'm not sure what to try next.

The policies I configured to be pushed are:

Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)  

Enable device policy controls             ON

Application management policies  

                                Enable application management controls                 ON

                                Battery optimization allowlist: com.samsung.android.knox.kpu

                                Package Name for Auto-Launch: com.samsung.android.knox.kpu

                Enable permission controls             ON

 

Permission Controls

  1. Permission Policy: Notification Access

Package or Component Name: net.soti.mobicontrol.androidwork/net.soti.mobicontrol.notification.SotiStatusBarNotificationListenerService

  1. Permission Policy: All files access, Appear on top, Change system settings, Alarms & Reminders, Usage data access, ALL
    Package or Component Name:net.soti.mobicontrol.androidwork/net.soti.mobicontrol.ui.MainActivity
  1. Permission Policy: All files access
    Package or Component Name: com.google.android.apps.nbu.files

The policies not being applied are:

All Files Access

Notification Access

For the apps:

SOTI MobiControl

Files by Google

This only affects Samsung Galaxy Tab A7 Lite devices (SM-T277U). They are running Android 14, although some are running Android 13. The version of Knox Service Plug-in is 1.4.72 (24.06)

The Galaxy Tab A9+ (SM-X218U) hasn’t had any issues and all policies are applied successfully. The issue is only with Galaxy Tab A7 Lite devices.

Any assistance would be greatly appreciated.

KPE SM-T227U samsung oemconfig Knox Service Plug-in KSP Galaxy Tab A7 Lite Knox for Enterprise
a year ago
Android
ANSWERS
RC
Raymond Chan Diamond Contributor
a year ago

What are the Knox Library versions on your Tab A7 Lite and Tab A9+ devices?

S
Shawn
a year ago

Where can I find this information? I found some Samsung Knox information within the Software Information page of settings on both devices. If not here, let me know and I'll check again.

RC
Raymond Chan Diamond Contributor
a year ago

Device's Settings -> About Devices -> Software information as shown in your screenshots is the place to look on the device.

The Knox library versions are the same and look recent enough.  MDM solution such as Soti MobiControl is only responsible for passing the required OEMConfig managed configuration parameters to the OEMConfig app, which in this case is Samsung KSP.  How such app implements any functions based on the configured parameters is beyond control of any MDM software.  So in your case, your best bet is to chase after Samsung support team to debug their recently added permission-control function in KSP app when running on your problematic Tab A7 Lite device model.

A
ATMOD@SOTI
a year ago

 

Hi Shawn,

 

Thank you for requesting a response from SOTI support staff. 

Here are some troubleshooting steps and considerations that could help you resolve the problem:

1. Device Compatibility and Policy Requirements:

  • Ensure that the policies you are trying to apply are compatible with the specific Android version (14 or 13) running on the Galaxy Tab A7 Lite devices. Some permissions or features may behave differently across OS versions.

2. Re-check Special Access Permissions:

  • Verify that the Special Access Permissions for SOTI MobiControl and Files by Google are correctly set. This includes ensuring that:
    • The permissions are granted as device owner or profile owner if the device is in Work Profile mode.
    • You follow the required process for granting each permission as indicated in the Samsung documentation.

Here’s a relevant knowledge base article from Samsung that explains how to do this.

3. Policy Configuration:

  • Review your policy configuration, especially for the affected policies like All Files Access and Notification Access.
  • Ensure that the package names are correct and that you are using the right component names. The syntax should exactly match what's required by the KSP.

4. Testing with Default Settings:

  • As a troubleshooting step, try reverting to a simpler policy set that only includes the problematic permissions, and see if they apply correctly.
  • This can sometimes help isolate whether other policies are causing a conflict.

5. Check for Known Issues:

  • Since the Galaxy Tab A9+ works fine, search through forums or support sites for known issues specifically related to the Galaxy Tab A7 Lite and the KSP version you are using (1.4.72).
  • Sometimes specific device models may encounter bugs or require firmware updates.

6. Update KSP and Device Firmware:

  • Verify that the KSP version and the firmware on the Galaxy Tab A7 Lite devices are up to date. There may be patches or updates that address policy application issues.

In case of any further concerns, please don't hesitate to reach out.

 
Kind Regards,
Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

TB
Torsten Bethke
a year ago

Hello Shawn,

for me it's working with 2 permission settings:

A) File Access: net.soti.mobicontrol.androidwork
B) Notification Access: net.soti.mobicontrol.androidwork/net.soti.mobicontrol.lockdown.kiosk.KioskActivity

Regards

S
Shawn
a year ago

Hi Torsten,

Did you test using a Tab A7 Lite? I just tried both permission settings as you did but not get either permission granted on my SM-T227U.

RS
Rafael Schäfer
a year ago

Ever considered to contact Samsung about it as the KSP AND the device are from them and the issue is device specific.
This most likely makes sense to raise it to them instead of here.

TB
Torsten Bethke
a year ago

Hello Shawn,

sorry for my late reply but I double checked my previous post. 

Finally, I can confirm that the settings from this article are working for me:

https://discussions.soti.net/articles/000002579

The bundle IDs from my first post were working only for a subset of permissions. AND I noticed that the KSP applies permissions just once – if you change it afterwards (=disable) it’s not being reenabled automatically.

I tested with a Samsung XCover 7, Android 14.

Hopefully, this helps.

Regards

A
ATMOD@SOTI
a year ago

Hi Shawn,

 

Thanks for posting on SOTI Pulse.  Thanks Raymond, Rafael and Torsten for responding to the post, your expertise and willingness to help are greatly appreciated!

Has your query been resolved? If this post did not assist you in resolving the issue completely and you have additional questions, please do not hesitate to reach out or you can contact SOTI Support (support@soti.net) to open a new case and one of our support engineer will be there to assist you.

 

Kind Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

Similar Discussions