Non-shared Android device quickstart

Knox Manage has a special non-shared enrollment method that’s unique to fully managed devices.

The purpose of non-shared enrollment is to configure and enroll a device with a staging user, like a shared device, and then seamlessly transfer it to the actual user by transforming it into a fully managed device. Once the transformation takes place, the device can’t be reverted to its non-shared state.

Because the majority of configuration and enrollment activities take place when the device is in the admin’s possession, this enrollment method minimizes disruption in demanding on-premises environments where device users aren’t equipped, capable, or free to enroll the device on their own. It also offers a way to standardize company-owned devices.

During the setup phase, a non-shared device is like a typical shared device intended for a single business purpose, except that it is intended for use by a single user. You can pre-load content and pre-install apps to the device, as long as you assign them to a group that the target user belongs to.

Supported devices

You can set up devices running Android 11 or higher in non-shared mode.

Supported management features

Non-shared devices are subject to the following limitations in Knox Manage:

• They can be enrolled using one of the following methods: Enrollment token, QR code, Knox Mobile Enrollment, or zero-touch enrollment.

• They support a limited number of Android device commands. To see which commands are compatible, check the Supported system column in the Android Enterprise device command reference.

Set up a non-shared Android device

The process to set up a non-shared device has the following stages:

1. Register a staging user
2. Configure the staging user settings
3. Prepare apps and content for the device
4. Enroll the device
5. Provision the device

1. Register a staging user

A non-shared device must be enrolled and set up with a staging user before it’s deployed. The staging user is an account with a supervisory scope that carries the basic device configuration and settings prior to provisioning the destination user.

To create a staging user:

1. Go to User, then click Add.
2. Fill in the basic and required user account information. For more detailed instructions, see Register a single user account.
3. Set Staging user to Yes.
4. Set Using Type to Non-shared Device.
5. Click Save and confirm.

2. Configure the staging user profile

Next, configure the staging user’s profile:

1. Go to Profile > click the intended profile > Modify Policy.

2. On the Set Policy page, open the Android Enterprise > Staging policy category.

3. Set the Staging Device Settings policy to Apply. Sub-policies appear on the page.

   

4. To grant the staging user access to Android utilities (such as the System Status Bar), set Utilities Settings to Allow, then proceed to allow or disallow specific utilities for the staging user. Available utilities are:

   • Power
   • System Status Bar
   • Notification Bar
   • Key Guard

5. To grant the staging user access to Android device settings (on the Settings app), set Device Settings to Allow, then proceed to allow or disallow specific settings under the Settings sub-policy. Options are:

   • Select All
   • Wi-Fi
   • Bluetooth
   • NFC
   • Mobile Data
   • Mobile Networks
   • Hotspot
   • Location

6. To restrict the number of times the staging user can attempt to exit Staging Mode, set Exit Staging Mode Attempt Limit to a value between 1 and 10. Then, if needed, set the Take Action if Attempts Are Exceeded sub-policy to prevent the staging user from re-entering their exit code for a certain period. Available options are:

   • Prevent re-entering code for 10 mins
   • Prevent re-entering code for 30 mins

7. Click Save & Assign to save the configuration and assign it to the staging user’s profile.

3. Prepare apps and content for the device

Next, do the following to pre-install the apps and content for the device:

1. Add the staging user and other user accounts to the same group.

2. Assign apps to the group.

3. Assign content to the group.

This approach speeds up enrollment by downloading all the apps and content to the device before it’s deployed.

4. Enroll and verify the device

Lastly, after preparing the staging user, apps, and content, you can enroll the device:

1. Enroll the device. For instructions see Enroll a single device.

2. After enrollment, go to Device and find the device. Verify that its value in the Platform & Management Type column is Non-shared Device. Its device name is the name you chose during enrollment, with the staging user name prepended.

   

3. The staging device prepares in 5-10 minutes, depending on the number of apps and content files that you assigned to the staging user. Ensure the device is connected to the internet during enrollment.

   • To verify app installation, on the Knox Manage console go to Device, then click the device name. On the Device Detail page, open the Application tab, then the Assigned Application tab. Installed apps will have an Install Status of “Installed”.

   • To verify that the content synced correctly, open the Knox Manage agent on the device and check the Download Path that was specified for the content.

5. Provision the device

Once the device is enrolled, you can deploy and provision it.

Provide the device to the user. Upon receiving the device, the user must power it on and sign in using their actual (non-staging) credentials in the Knox Manage agent.

Once the user signs in the staging account is permanently removed. On the Device page:

• The device’s Platform & Management Type value changes to Fully Managed.
• The Device Name and User Name values are updated to reflect the provisioned user.

See also

• Shared Android device quickstart