I have been trying to elevate an internal Demo App to Device Owner on my rooted S8 and keep having problems.

Ways I have tried:

1) NFC provisioning (as explained here )

When using NFC with Android Bean to set the Device Owner the S8 shows a "Cannot create working profile due to the security guidelines of your device"-error

2) Adb provisioning (from console):

When using

dpm set-device-owner my/app/namespace/.DeviceAdmin

in a windows console I get the following error

java.lang.SecurityException: Neither user 2000 nor current process has com.samsung.android.knox.permission.KNOX_PROXY_ADMIN_INTERNAL.,com.sec.enterprise.permission.MDM_PROXY_ADMIN_INTERNAL
        at android.os.Parcel.readException(Parcel.java:1693)
        at android.os.Parcel.readException(Parcel.java:1646)
        at android.app.admin.IDevicePolicyManager$Stub$Proxy.setActiveAdmin(IDevicePolicyManager.java:5825)
        at com.android.commands.dpm.Dpm.runSetDeviceOwner(Dpm.java:145)
        at com.android.commands.dpm.Dpm.onRun(Dpm.java:96)
        at com.android.internal.os.BaseCommand.run(BaseCommand.java:51)
        at com.android.commands.dpm.Dpm.main(Dpm.java:41)
        at com.android.internal.os.RuntimeInit.nativeFinishInit(Native Method)
        at com.android.internal.os.RuntimeInit.main(RuntimeInit.java:307)

Adding the missing permissions to my manifest did not change anything.

3) Create xml-file manually (as explained here )

In this case I can create the xml in the right folder, but when I restart the phone the file gets deleted and my app is not registered as Device Owner

Are there any more ways I could try or does anyone know where the problem is?

Thanks to Freds comment I looked into my manifest and compared it to another app I have been using and was able to get the Adb provisioning to work.

I added the following to my manifest and the error did not occur again:

<uses-permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL" />
<uses-permission android:name="android.permission.WRITE_SETTINGS" />

<application       
   ...
   android:testOnly="false">

After this, the command

dpm set-device-owner my/app/namespace/.DeviceAdmin

executed without errrors.

To be honest I don't quite know which one of those did the trick since I cannot un-provision my device without doing a factory reset but I thought I'd share it anyway and hope it will save someone else some time.

From the examples you have tried it seems you are trying to get Device Owner privilege, and not Device Admin:

• Device Admin (introduced in Android 2.2) gives limited management capabilities and can be granted by the user to any app that requests it,
• Device Owner (introduced in Android 5.0) gives full management capabilities but can only be granted to one app, during device setup, so you need to factory reset the device before.

If you want to implement Device Admin, you can follow this guide.

If you want to implement Device Owner, you can either

• use the Android Management API which is simple but you might be missing some advanced features,
• or build your own Device Policy Controler app and setup the device using one of the available provisioning methods (QR code, NFC, Managed Google Play Accounts, etc), which is significantly more complicated but you'll have access to all DevicePolicyManager APIs.