IBM Security MaaS360

I have been struggling with this issue for a while.

when a user leaves our organisation and hands back their phone that is encrypted and locked with a PIN or Password (by policy design) if the phone has gone flat or been turned off, i am unable to send the wipe command from the MaaS360 admin portal, it simply does not communicate with the phone. 

Today i discovered it is because of Samsung's 'Strong Protection' or Encryption which protects the phone by preventing most apps from opening before the phone is unlocked, after it has been turned on.

I have confirmed this with a Galaxy A50 i have for testing, after unlocking the phone with my PIN, it does a delayed start and 'Phone is starting' appears with a loading bar. after the phone has started i am able to send commands from the MaaS360 admin portal.

Does anyone know a way around this? we cannot just turn off encryption, it is required for compliance reasons.

Hi Ethan - 

If it's the feature I'm thinking of there may be a workaround, but it may not be ideal.  Samsung has released a set of advanced management APIs that can be enabled via a publicly available app called the KNOX Service Plugin.  The KSP app is free, but to take advantage of all of its KNOX Platform for Enterprise (KPE) you must purchase KPE licenses (I am not able to provide you any information about potential costs associated with that program - you'll have to speak with a Samsung KNOX representative).

If you are able to subscribe to the KPE/KSP services, MaaS360 can integrate with the licensing and distribute the KSP app from our portal and customize the policy via App Config workflows in the portal.

That was a lot, I know, it's the long winded way of saying "Yes, but you'll probably have to pay for it" as KPE features a policy feature called Dual Data-at-rest encryption policies.  In that policy there is a feature called "Data Lock Timeout Type" that is described as such - "Use this control to set a data lock type. This locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can't use the CE until user provides the credential again."  This MAY be linked to the Encrypted Storage that also occurs when the device is rebooted.  There is a value that can be set as "No Timeout" which may solve the problem for you.

For more info on KSP/KPE: https://docs.samsungknox.com/knox-service-plugin/admin-guide/what-is-ksp.htm