Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Enrolling Devices
  3. Android

Category filter

Samsung Knox Mobile Enrollment

Jump To

Samsung Knox Mobile Enrollment (KME) is a zero-touch method allowing IT administrators to rapidly and efficiently enroll large quantities of corporate-owned devices by automatically configuring them with MDM settings upon device power-on and network connection.

Key Features and Benefits of KME

KME streamlines bulk device deployment, enforces security by limiting unauthorized access, and ensures device enrollment persistence even after a factory reset.

Core Benefits

  • Zero-Touch Deployment: Devices install Hexnode UEM automatically after connecting to Wi-Fi.
  • Mandatory Enrollment: Users cannot skip the enrollment setup wizard, ensuring compliance.
  • Automated Credentialing: Pass device user credentials automatically via the portal.

Prerequisites for Knox Mobile Enrollment

To successfully configure KME with Hexnode, the following requirements must be met:

  1. Samsung Knox Portal Account: A valid account at Samsung Knox.com.
  2. Supported Devices: Samsung devices running Knox 2.4 or higher. To view the latest list of devices supported by Knox Mobile Enrollment, refer to Devices Secured by Knox.
  3. Hexnode UEM Portal: An active Hexnode UEM subscription with administrator access.
  4. Device Source:
    • Reseller Upload: Devices purchased from a verified Samsung reseller (automatically uploaded).
    • Knox Deployment App: For devices not purchased from a reseller, they can be added manually using the Knox Deployment App on a separate master device.

Setup and Configuration Steps

1. How to Create a Samsung Account

This account is necessary for accessing all Samsung services, including the Knox Portal.

  1. Go to the Samsung account creation page.
  2. Click on Create account.
  3. Review and Agree to the terms and conditions.
  4. Enter your Email/Phone number, Password, First name, Last name, and DOB.
  5. Carefully enter the answer for the chosen security question and click Next.
  6. Activate the account by following the link sent to the provided email address or by verifying the code sent to the phone number.

2. How to Create a Knox Portal Account

The Knox Portal requires verification using a work email to access KME services.

  1. Go to the Knox Mobile Enrollment page.
  2. Click on Get Started in the top right corner.
  3. Enter your work email address under Business email. (Personal emails like Gmail or Hotmail are not accepted.)
  4. Select the relevant Knox solution, such as Knox Suite (which includes KME).
  5. Create a Samsung account if one associated with the work email doesn’t already exist.
  6. Verify the verification email and click Next.
  7. Verify your Samsung account details and optionally set up two-step verification. Click NEXT: COMPANY INFO.
  8. Provide your company’s details. (Note: The selected location determines connection to the US or EU server.)
  9. Click NEXT: AGREEMENT, and then AGREE to submit the application for Knox services.
  10. Wait for the email notification confirming your company’s approval for Knox services.

3. Enroll and Configure Devices in the KME Portal

KME profile creation simplifies Android Enterprise device enrollment (fully managed or Work Profile). The process involves three steps:

Step 1: Configure the MDM Profile in the Knox Portal

  1. Sign in to Knox Portal account.
  2. Select the Profiles option from the left-hand Knox Mobile Enrollment menu.
  3. Complete the following 4 steps to complete profile creation.
Basic Info: Profile Details
  1. Specify the Profile name (required) and Profile description (optional).
  2. Select solutions and services to install (required). Select EMM to proceed with device enrollment. Additional solutions like Knox E-FOTA and Knox Asset Intelligence can be included based on organizational requirements.
  3. Click NEXT.
EMM Info
  1. Specify the Company name, Support email, and Support phone number (all shown during enrollment).
  2. Select your EMM: Select Hexnode For Work for Hexnode.
  3. Link to agent APK: The URL to the APK is auto-filled.
    • Intranet Host Option: If the APK is privately hosted, check the corresponding option, and provide the Admin component name, Admin package signature checksum, EMM app name, and upload the App icon.
  4. Specify an EMM server URI: Enter the Hexnode UEM portal URL (e.g., https://yourportal.hexnodemdm.com).
  5. Click NEXT.
Configure (Standard and Advanced Settings)

These settings customize device behavior during and after enrollment.

Standard settings

  • DPC extras for (JSON Data): Define custom configurations using JSON for the DPC app during enrollment.
    • Process: Navigate to Enroll > Platform-Specific > Samsung Knox > Guidelines. Select or create a new Enrollment Profiles. This profile defines the Hexnode enrollment type (e.g., Device Owner or WP-C).
    • Copy JSON: Copy the JSON string from the Guidelines page or by clicking the QR code option in the Enrollment Profiles tab. Paste this JSON into the DPC extras for section of the Knox profile.
      Note:


      Samsung Knox enrollment only supports Device Owner (DO) or Work Profile on Company-Owned Device (WP-C) profiles.

  • QR code for EMM enrollment: Allows setting up QR code enrollment, including whether to allow it for non-reseller uploaded devices.
    • Wi-Fi Config: Choose to Don’t add Wi-Fi network credentials or Add Wi-Fi network configuration (requires SSID and Security type).
  • System apps: Choose whether device users can access pre-installed apps.
  • Enrollment screens: Select whether to skip different setup screens during enrollment.
  • Privacy Policy, EULAs, and Terms of Service: Add documents that users must acknowledge.
  • Root and intermediate certificates: Install certificates during enrollment (supported on Android 9+; file types: .cer, .pem, .crt, .der, .ca-bundle).
  • DualDAR: Enable Dual DAR (Data-at-Rest) encryption for enhanced security. Optionally integrate a third-party cryptography app (requires package and signature).

Advanced Settings (Requires Knox Suite license)

  • Lock compromised devices: Remotely lock devices not enrolled by a specified date (1-30 days, default 7), or immediately lock if running unofficial firmware or detected as rooted, or if user does not enroll with an EMM through Knox Mobile Enrollment.
  • Lock Message: You can customize the lock screen message displayed on the device when it is locked or opt to use the system’s default message.
  • Contact information: You can specify a contact phone number that device users can use to reach out to the IT administrator if the device becomes locked.
  • Install apps: Add apps for automatic installation upon enrollment.
Review
  1. Check all settings (Basic info, EMM info, and Configure settings).
  2. Click CREATE.

KME profile is created. Profiles can be edited or deleted via ACTIONS > Delete profile.

Step 2: Add Devices to the Knox Portal

Sign in to your Knox Portal account. Device information can be added either by the reseller or by the administrator using the Knox Deployment Application.

Reseller Devices

Devices purchased from a reseller can be automatically uploaded to your account and appear in Devices > Uploads.

  1. Select the Resellers option.
  2. Click Register reseller.
  3. Enter the reseller’s Knox Reseller ID and click LOOKUP.
  4. Click REGISTER.
  5. Optional Auto-Approval: Navigate to Auto Approval, select Automatically approve all uploads from this reseller.
  6. Optional Auto-Assign: Under Auto Assign Profile after Approval, choose a default profile and license.
  7. Click SAVE.
Knox Deployment Application (Non-Reseller Devices)

Used for devices not purchased from an approved reseller.

  1. Download the Knox Deployment application from the Google Play store on any compatible device.
  2. Launch the app and sign in using the Knox portal username and password.
  3. Click on Profile and choose the desired Knox Mobile Enrollment profiles.
  4. Choose a Deployment mode: Bluetooth or Wi-Fi direct.
  • Bluetooth

    • This mode utilizes Bluetooth for deployment and allows for optional Wi-Fi configuration.

  1. Select Bluetooth as the device deployment mode.
  2. Wi-Fi Configuration (Optional): To send network settings, click Wi-Fi for deployed devices > Allow.
    • Choose a network or add a new one.
    • Type in the password and click OK.
      Note:


      Wi-Fi configuration works only with gesture-based deployment on devices running Knox 3.2 and higher.

  3. Click on Start deployment.
  4. Set the Bluetooth duration (30 minutes by default) and check Accept automatically (optional) to accept pairing requests.
  5. Click OK > Start Deployment.
  6. Follow the onscreen instructions to enroll the device.
  7. Click on Finish deployment from the app. The device will be listed in the Knox portal with the tag Bluetooth.
  • Wi-Fi Direct

    • This mode uses Wi-Fi Direct for deployment and supports both manual and automatic connection acceptance.

  1. Select Wi-Fi Direct as the Deployment mode.
  2. Select Wi-Fi direct Setting: Choose whether the connection is automatic or manual.
    • Accept manually
      1. Select Accept Manually from Select Wi-Fi setting.
      2. Note down the PIN and tap Connect before the countdown expires.
      3. On the enrolling device, an Accept sharing request screen appears; type the PIN and Click Accept.
      4. The enrollment information is sent via the newly established Wi-Fi direct connection.
      5. Click on Finish deployment once complete.
    • Accept automatically
      1. Select Accept automatically from Select Wi-Fi setting.
      2. Tap Connect before the countdown expires.
      3. The enrollment information is sent via the newly established Wi-Fi direct connection.
      4. Click on Finish deployment once complete.

        5. Note:


        Wi-Fi Direct will work only with gesture-based deployment on devices running Knox version 3.2.1 and higher.

Step 3: Configure and Assign Devices to a Profile

Device user credentials can be added individually or imported in bulk via a CSV file (maximum 10,000 users/rows).

Action Steps
Add a new device user (Individual) Select Device Users > Click add device users > Enter User ID and Password > Click Add.
Edit/Update an existing user Select Device Users > Click on the user > Edit details > Save.
Remove an existing user Select Device Users > Check the user > Go to Action > Delete Device Users > Select Delete in the pop-up.
Importing a device user (Bulk) Select Device Users > Click Add Device Users > Click add multiple device users > Review CSV instructions > Upload the CSV file > Submit.

Frequently Asked Questions

  1. Why does the Knox Portal require a business email for account creation?

    2. Personal email accounts (like Gmail or Hotmail) are not accepted for Knox Portal account creation because the service is designed exclusively for corporate/enterprise deployment and verification.

  2. What is the significance of the DPC extras field in the KME profile configuration?

    3. The DPC extras field holds the JSON data copied from the Hexnode Enrollment Profile, which is critical for Hexnode UEM to identify and apply the correct management configurations (e.g., Device Owner or WP-C).

  3. Under what circumstances is the Wi-Fi configuration option functional during Bluetooth deployment?

    4. The Wi-Fi configuration feature, which sends network credentials to the device, is only functional with gesture-based deployment on devices running Knox 3.2 and higher.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Enrolling Devices
Managing Android Devices