1. Home
  2. Enrollment
  3. Samsung Knox Mobile Enrollment
  1. Home
  2. Android
  3. Samsung Knox Mobile Enrollment

Samsung Knox Mobile Enrollment

What is Samsung Knox Mobile Enrollment?

Samsung Knox Mobile Enrollment (KME) allows IT administrators to quickly and efficiently enroll large quantities of corporate-owned devices without the need of manually configuring each of them. End users just have to power on the devices and connect to the network to enroll in MDM. That means there’s minimal risk that users may enter incorrect information or select the wrong settings. Moreover, unauthorized devices cannot join your MDM environment, so your network and data are better protected.

What are the key features of Knox Mobile Enrollment?

  • Bulk enroll devices: Can add thousands of devices to your MDM at once.
  • Automatic installation and activation: As soon as the employees receive their device and power it on, the device automatically installs the required software and applies the security settings and configurations provisioned by the enterprise via the MDM client.
  • Auto re-enrollment: Once a device is enrolled, the MDM software will always be reinstalled even if the device is erased and factory reset.
  • Supports multiple MDM configurations per account: Organizations with a complex MDM environment can quickly set up thousands of devices and connect them with the right MDM profile using Knox Mobile Enrollment.

What are the requirements for Knox Mobile Enrollment?

  • A Samsung account.
  • A Knox portal account.
  • Samsung Knox devices running Knox version 2.4 or higher. Some devices lacking a Device Root Key (DRK) support enrollment using a Knox 2.4.1 binary. For Android Enterprise enrollment, devices should be running Knox version 2.8 or above.
  • An MDM provider supporting the Knox Mobile Enrollment program.
  • A KME supported browser (Internet Explorer, Firefox, and Chrome). Internet Explorer is not recommended if using the on-premises edition of MDM.
  • The correct firewall exemptions needed to extend beyond your local and protected network domain and securely connect to the Knox Mobile Enrollment server.

How to create a Samsung account?

  • Go to Samsung account creation page.
  • Click on Sign Up Now.
  • Go through the terms and conditions and Agree.
  • Enter your Email/Phone number, Password, First name, Last name and DOB. Carefully enter the security code and click Next. Click Done.
  • The last step to activate the account is to follow the link sent to the email address you have provided.

Knox Mobile Enrollment

Knox Mobile Enrollment

How to create a Knox Portal account?

  • Go to Knox Mobile Enrollment page.
  • Click on Apply Now.
  • Enter Basic information, End-user support information, Verification information and go through the Terms and conditions. Click on Apply when you are done.
  • A confirmation mail will be sent.
  • Click on Complete registration to continue. Enter your Knox portal password.
  • Go to Knox Portal dashboard > My Solutions > Knox Mobile Enrollment > Launch.
  • A setup wizard launches to assist with setting up MDM server resources, creating your first enrollment profile and registering resellers when you log in for the first time.

How to enroll and configure devices in your KME portal?

There are three steps by which you can complete Knox Mobile Enrollment:

Step-1: Create an MDM profile.

Step-2: Add devices to your portal.

Step-3: Configure and assign devices to a profile.

Create an MDM profile

  • Go to Knox Portal dashboard > My Solutions > Knox Mobile Enrollment > Launch.
  • Select MDM Profiles option from the left-hand navigation menu > Click on Actions > Add.
  • Enter the MDM Server URI which is the address of your MDM server in the form of an URL (yourportalname.hexnodemdm.com) or select Server URI not required for my MDM > Click Continue.
  • Note:

    No need to append https:// before the server URL.

  • Add the following profile details.
    1. Profile Name – Enter an appropriate profile name to distinguish it from other profiles.
    2. Description (Optional) – Describe the profile in a maximum of 200 characters.
    3. MDM Agent APK – Provide downloadable links of one or more MDM applications which the device will be enrolled to. These applications will be downloaded and installed on the device when it first connects to a Wi-Fi network. Click on Add MDM Applications and provide a URL to the APK that will be downloaded to your devices.
      APK URL for Hexnode MDM
      Hexnode MDM APK
      APK URL for enrolling devices as Android Enterprise Device Owner
      Hexnode MDM APK for Android Enterprise Device Owner Enrollment
      You can add more than one MDM applications. If more than one APK is added, you must set one as primary to choose which APK manages Knox on the device. When an APK is added:
      Enable this app as a Google Device Owner – Check this option to make the app a Google Device Owner. Make sure that the MDM supports Google Device Owner provisioning. This feature is available only for devices with Knox 2.8 or above. However, Device Owner supports only a single MDM application.
      Supported MDM – Select a supported MDM. Select the option Other for Hexnode.
      Leave all system apps enabled – Check this option to enable all system apps.
    4. Skip Setup Wizard – When checked, the device user can skip many setup wizard screens. Selected by default. The Skip setup wizard is required when Google Device Owner is selected.
    5. Allow end user to cancel enrollment – Uncheck this option to make device enrollment mandatory. End users are never allowed to cancel Google Device Owner Enrollment.
    6. Custom JSON Data (as defined by MDM) – A custom configuration type (Java Script Object Notification format) can be defined here. MDM solution must be able to recognize this configuration. Hexnode doesn’t support this for now.
    7. Privacy Policy, EULA and Terms of Service (Optional) – Add any End user license agreements, Terms of service or other user agreements that user must acknowledge before using the device. The Samsung Knox Privacy Policy is always shown. Click on Add legal agreement. Enter an Agreement title and Agreement text > Add.
    8. Associate a Knox license with this profile (Optional) – Check this option and enter the Knox license key to pass it directly to the device for easier Knox profile configuration.
  • Click Save when you are done.

You can Edit or Delete an MDM profile any time by selecting the profile and clicking on Action > Edit/Delete.

Add devices to your portal

  • Go to Knox Portal dashboard > My Solutions > Knox Mobile Enrollment > Launch.
  • There are two options by which you can add device information:

  • Reseller Devices – When a device is purchased from a reseller, they can automatically upload it to your account. The devices will appear in Devices > Uploads. For this, you must register your participating Samsung device reseller.
    1. Select Resellers option from the left-hand navigation menu.
    2. Click on Actions > Register reseller.
    3. Contact the reseller to obtain their Knox reseller id. Provide the Reseller ID and click on look up.
    4. From the list of results, select your reseller.
    5. Use the Setup a default profile for reseller devices option to provide a default profile to be assigned automatically to the devices purchased from this reseller.
    6. Upload approval preferences – Select your preferred upload approval process for this reseller’s uploads.
      Approval needed for each upload – Review and approve each reseller upload separately.
      Automatically approve all uploads from this reseller – The device information uploaded by this reseller is automatically approved, both now and with future uploads.
    7. Click on Add.
  • Knox Deployment Application – To enroll devices not purchased from an approved reseller there is a Knox deployment application.
    Note:


    Only Samsung Knox devices running Knox 2.7.1 or higher can be enrolled thus.


    Steps:

    • Download the Knox Deployment Application from the Google play store on any compatible device.
      Download from this link – Knox Deployment app
    • Launch the app and sign in using the Knox portal username and password. When you log in for the first time a welcome screen will be displayed for assisting you.
    • Click on Profile. All profiles will be listed, or you can select Knox Mobile Enrollment profiles in particular. Choose the profile you want to associate with your devices.
    • Choose a Deployment mode. Here you have 3 options: Bluetooth, NFC or Wi-Fi direct.
      1. Bluetooth
        • Select Bluetooth as the device deployment mode.
        • Wi-Fi configuration – By configuring Wi-Fi for deployed devices, you can send a network configuration to the device so that it can connect the network.
          • Click on Wi-Fi for deployed devices > Allow.
          • Choose a network from the list or add one.
          • Type in the password and click OK.
          Note:

          Wi-Fi configuration will work only with gesture-based deployment on devices running Knox 3.2.

        • Click on Start deployment
        • Set the Bluetooth duration which is 30 minutes by default and check the Accept automatically option to automatically accept pairing requests from devices to be enrolled.
        • Click OK > Start Deployment.
        • Open https://me.samsungknox.com on the designated phone or tablet running Samsung Knox 2.7.1 or above to begin the profile assignment.
        • Follow the onscreen instructions and enroll the device.
        • Click on Finish deployment from the app.

        The device will be listed in the Knox portal with the tag Bluetooth.

      2. NFC
        • Select the Deployment mode as NFC and Configure Wi-Fi for deployed devices.
        • Click on Start deployment.
        • Turn on NFC and Android Beam in device settings.
        • Hold the admin phone and the phone to be enrolled back to back and tap your screen.
        • Note:

          Make sure that both the devices are NFC enabled and compatible.

        • Select Finish deployment once you are done.
      3. Wi-Fi Direct
          Note:


          The enrolling device must be utilizing Knox version 3.2 or above. Additionally, only Note9 and Tab S4 and above devices are supported. Wi-Fi direct is not supported on wearable devices.

        • Select Wi-Fi Direct as the Deployment mode.
        • Select Wi-Fi direct Setting : Choose whether the Wi-Fi direct connection is automatic or manual.
          • Accept manually : Requires the user to enter a generated PIN every time a connection is requested from an enrolling device.
            • Select Accept Manually from Select Wi-Fi setting.
            • Note down the PIN which is required for manual connection and tap Connect before the countdown expires.
            • An Accept sharing request screen appears prompting for the PIN before the countdown expires. Type the PIN and Click on Accept.
            • The enrollment information will be sent to the enrolling device via the newly established Wi-Fi direct connection.
            • Click on Finish deployment once it’s done.
          • Accept automatically : Automatically accept connection requests from enrolling device.
            • Select Accept automatically from Select Wi-Fi setting.
            • Tap Connect before the countdown expires.
            • The enrollment information will be sent to the enrolling device via the newly established Wi-Fi direct connection.
            • Click on Finish deployment once it’s done.

    Configure and assign devices to a profile

    To configure approved devices to a profile.

    • Select Devices option from the left-hand navigation menu > Select All Devices tab.
    • Check the required device(s) > Click on Actions > Configure.
    • The Device details screen appears. Fill the following fields:
      1. MDM profile (single device selected) or Modify the MDM profile of selected devices (more than one device selected) – Assign an MDM profile to the device(s). There are three options from which you can choose.
        Keep current profiles (available only when more than one device is selected) – Select to keep the existing profile assignment.
        Clear profiles – Select this option to remove an already assigned profile.
        Google DO with Knox License – Intended to support Google Device Owner with Knox Mobile Enrollment.
      2. Tags (single device selected) or Add tags to selected devices (more than one device selected) – Add tags to device(s) that allows you to organize and search for devices.
      3. User id and Password (single device selected) – Enter a user id and password for the device.
      4. User credentials (more than one device selected) – Choose user credentials for the devices. Choose any of these options:
        Keep current credentials – Use existing user credentials.
        Clear user credentials – Choose to clear existing credentials.
        Overwrite user credentials – Provide a new user id and password for the devices.
    • Click Save >Refresh.

    The device status changes to profile assigned.

    To bulk configure devices.

    • Select Devices option from the left-hand navigation menu > Select All Devices tab.
    • Select necessary devices and download the device information as a CSV file. Modify the file by adding User ID information to the right of Device ID. You can also add passwords in the next column if needed.
    • Click on Bulk Actions button at the bottom of the left-hand navigation menu.
    • Select Bulk Configure.
    • Upload the edited CSV file.
    • You can Modify the MDM profile of the selected devices and overwrite existing tags if needed.
    • Click Submit.

    How to add Device users to your KME portal?

    To add a new device user

    • Select Device Users option from the left-hand navigation menu.
    • Go to Action > Add user.
    • Enter User ID and Password > Click on Add.

    To edit and update the details of an already existing user

    • Select Device Users option from the left-hand navigation menu.
    • Select the check box of the required device user.
    • Go to Action > Edit.
    • Update the details > Save.

    You can remove an already existing user

    • Select Device Users option from the left-hand navigation menu.
    • Select the check box of the required device user.
    • Go to Action > Remove.
    • A pop-up arises. Select Remove to proceed with the device user deletion.

    Importing a device user

    You can upload a group of user credentials to assign them to your devices in the future. To include user credentials in the device list, create a CSV file with one row (line) per device (with a maximum limit of 10,000 devices/rows).

    • Select Device Users option from the left-hand navigation menu.
    • Select the check box of the required device user.
    • Go to Action > Import.
    • Refer the instructions for creating a CSV file. Select Got it when you are done reading the instructions.
    • Upload the CSV file > Submit.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment