Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL

Category filter

Samsung Knox Mobile Enrollment

Jump To

Samsung Knox Mobile Enrollment (KME) is a zero-touch method allowing IT administrators to rapidly and efficiently enroll large quantities of corporate-owned devices by automatically configuring them with MDM settings upon device power-on and network connection.

Key Features and Benefits of KME

KME streamlines bulk device deployment, enforces security by limiting unauthorized access, and ensures device enrollment persistence even after a factory reset.

Core Benefits

  • Zero-Touch Deployment: Devices install Hexnode UEM automatically after connecting to Wi-Fi.
  • Mandatory Enrollment: Users cannot skip the enrollment setup wizard, ensuring compliance.
  • Automated Credentialing: Pass device user credentials automatically via the portal.

Prerequisites for Knox Mobile Enrollment

To successfully configure KME with Hexnode, the following requirements must be met:

  1. Samsung Knox Portal Account: A valid account at Samsung Knox.com.
  2. Supported Devices: Samsung devices running Knox 2.4 or higher. To view the latest list of devices supported by Knox Mobile Enrollment, refer to Devices Secured by Knox.
  3. Hexnode UEM Portal: An active Hexnode UEM subscription with administrator access.
  4. Device Source:
    • Reseller Upload: Devices purchased from a verified Samsung reseller (automatically uploaded).
    • QR Code Method: Devices not purchased from a reseller can now be added manually by scanning a QR code using the device’s built-in camera during initial setup.

Setup and Configuration Steps

1. How to Create a Samsung Account

This account is necessary for accessing all Samsung services, including the Knox Portal.

  1. Go to the Samsung account creation page.
  2. Click on Create account.
  3. Review and Agree to the terms and conditions.
  4. Enter your Email/Phone number, Password, First name, Last name, and DOB.
  5. Carefully enter the answer for the chosen security question and click Next.
  6. Activate the account by following the link sent to the provided email address or by verifying the code sent to the phone number.

2. How to Create a Knox Portal Account

The Knox Portal requires verification using a work email to access KME services.

  1. Go to the Knox Mobile Enrollment page.
  2. Click on Get Started in the top right corner.
  3. Enter your work email address under Business email. (Personal emails like Gmail or Hotmail are not accepted.)
  4. Select the relevant Knox solution, such as Knox Suite (which includes KME).
  5. Create a Samsung account if one associated with the work email doesn’t already exist.
  6. Verify the verification email and click Next.
  7. Verify your Samsung account details and optionally set up two-step verification. Click NEXT: COMPANY INFO.
  8. Provide your company’s details. (Note: The selected location determines connection to the US or EU server.)
  9. Click NEXT: AGREEMENT, and then AGREE to submit the application for Knox services.
  10. Wait for the email notification confirming your company’s approval for Knox services.

3. Enroll and Configure Devices in the KME Portal

KME profile creation simplifies Android Enterprise device enrollment (fully managed or Work Profile). The process involves three steps:

Step 1: Configure the MDM Profile in the Knox Portal

  1. Sign in to Knox Portal account.
  2. Select the Profiles option from the left-hand Knox Mobile Enrollment menu.
  3. Complete the following 4 steps to complete profile creation.
Basic Info: Profile Details
  1. Specify the Profile name (required) and Profile description (optional).
  2. Select solutions and services to install (required). Select EMM to proceed with device enrollment. Additional solutions like Knox E-FOTA and Knox Asset Intelligence can be included based on organizational requirements.
  3. Click NEXT.
EMM Info
  1. Specify the Company name, Support email, and Support phone number (all shown during enrollment).
  2. Select your EMM: Select Hexnode For Work for Hexnode.
  3. Link to agent APK: The URL to the APK is auto-filled.
    • Intranet Host Option: If the APK is privately hosted, check the corresponding option, and provide the Admin component name, Admin package signature checksum, EMM app name, and upload the App icon.
  4. Specify an EMM server URI: Enter the Hexnode UEM portal URL (e.g., https://yourportal.hexnodemdm.com).
  5. Click NEXT.
Configure (Standard and Advanced Settings)

These settings customize device behavior during and after enrollment.

Standard settings

  • DPC extras for (JSON Data): Define custom configurations using JSON for the DPC app during enrollment.
    • Process: Navigate to Enroll > Platform-Specific > Samsung Knox > Guidelines. Select or create a new Enrollment Profiles. This profile defines the Hexnode enrollment type (e.g., Device Owner or WP-C).
    • Copy JSON: Copy the JSON string from the Guidelines page or by clicking the QR code option in the Enrollment Profiles tab. Paste this JSON into the DPC extras for section of the Knox profile.
      Note:


      Samsung Knox enrollment only supports Device Owner (DO) or Work Profile on Company-Owned Device (WP-C) profiles.

  • QR code for EMM enrollment: Allows setting up QR code enrollment. Select Add QR code to generate the QR code for enrollment.
    • Make sure the option “Also allow QR enrollment for devices not uploaded by a reseller” is checked to enable QR enrollment for devices that were not uploaded by a reseller.
    • Wi-Fi Config: Choose to Don’t add Wi-Fi network credentials or Add Wi-Fi network configuration (requires SSID and Security type).

    • Once all fields are filled out, click ADD. Complete the remaining profile configuration steps and click Create profile. After the profile is created, the generated QR code will be displayed — select Download or Print to save and share it with device users.

  • System apps: Choose whether device users can access pre-installed apps.
  • Enrollment screens: Select whether to skip different setup screens during enrollment.
  • Privacy Policy, EULAs, and Terms of Service: Add documents that users must acknowledge.
  • Root and intermediate certificates: Install certificates during enrollment (supported on Android 9+; file types: .cer, .pem, .crt, .der, .ca-bundle).
  • DualDAR: Enable Dual DAR (Data-at-Rest) encryption for enhanced security. Optionally integrate a third-party cryptography app (requires package and signature).

Advanced Settings (Requires Knox Suite license)

  • Lock compromised devices: Remotely lock devices not enrolled by a specified date (1-30 days, default 7), or immediately lock if running unofficial firmware or detected as rooted, or if user does not enroll with an EMM through Knox Mobile Enrollment.
  • Lock Message: You can customize the lock screen message displayed on the device when it is locked or opt to use the system’s default message.
  • Contact information: You can specify a contact phone number that device users can use to reach out to the IT administrator if the device becomes locked.
  • Install apps: Add apps for automatic installation upon enrollment.
Review
  1. Check all settings (Basic info, EMM info, and Configure settings).
  2. Click CREATE.

KME profile is created. Profiles can be edited or deleted via ACTIONS > Delete profile.

Step 2: Add Devices to the Knox Portal

Sign in to your Knox Portal account. Device information can be added either by the reseller or by QR code enrollment method.

Reseller Devices

Devices purchased from a reseller can be automatically uploaded to your account and appear in Devices > Uploads.

Method 1: Reseller Registration and Management

Once the ID of a reseller is obtained, registration and preference management can be completed to streamline how devices are uploaded and assigned to enrollment profiles.

  1. Open Resellers Page: Click Resellers in the Knox Mobile Enrollment console or Knox Admin Portal to view the registered list.
  2. Initiate Registration: Select Register reseller. The customer ID displayed in the dialog must be shared with the reseller.
  3. Identify Reseller: Enter the Knox Reseller ID for the desired reseller and select Find reseller.
  4. Confirm Registration: Verify the reseller’s name and location, then select Register. The reseller is then authorized to upload and provision devices.
  5. On the Resellers page, click the reseller’s name and ID to open the Manage reseller preferences page.
  6. Enable Auto-Approval(Optional): Select Auto approve devices to automatically approve all future device uploads from this reseller.

Method 2: QR Code Enrollment

Enrolling the device (Done by the device user)

Once the administrator provides the QR code, the user can easily enroll their device by following these steps:

  1. Turn on the device.
  2. Draw a plus sign (+) on the device screen. This action automatically opens the camera in QR code recognition mode.
  3. On the Knox Deployment screen, tap QR code to open the QR code reader app.
  4. Scan the QR code provided by the administrator.
  5. If the QR code contains Wi-Fi credentials, the device will connect to the internet automatically. If it does not, you will be prompted to enter the Wi-Fi credentials manually.
  6. Follow the series of enrollment screens that appear.
  7. When prompted, enter your EMM account credentials, and then tap Finish to complete the enrollment.

Step 3: Configure and Assign Devices to a Profile

Device user credentials can be added individually or imported in bulk via a CSV file (maximum 10,000 users/rows).

Action Steps
Add a new device user (Individual) Select Device Users > Click add device users > Enter User ID and Password > Click Add.
Edit/Update an existing user Select Device Users > Click on the user > Edit details > Save.
Remove an existing user Select Device Users > Check the user > Go to Action > Delete Device Users > Select Delete in the pop-up.
Importing a device user (Bulk) Select Device Users > Click Add Device Users > Click add multiple device users > Review CSV instructions > Upload the CSV file > Submit.

Frequently Asked Questions

  1. Why does the Knox Portal require a business email for account creation?

    2. Personal email accounts (like Gmail or Hotmail) are not accepted for Knox Portal account creation because the service is designed exclusively for corporate/enterprise deployment and verification.

  2. What is the significance of the DPC extras field in the KME profile configuration?

    3. The DPC extras field holds the JSON data copied from the Hexnode Enrollment Profile, which is critical for Hexnode UEM to identify and apply the correct management configurations (e.g., Device Owner or WP-C).

  3. Under what circumstances is the Wi-Fi configuration option functional during Bluetooth deployment?

    4. The Wi-Fi configuration feature, which sends network credentials to the device, is only functional with gesture-based deployment on devices running Knox 3.2 and higher.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Enrollment