Category filter

Samsung Knox Mobile Enrollment

What is Samsung Knox Mobile Enrollment?

Samsung Knox Mobile Enrollment (KME) allows IT administrators to quickly and efficiently enroll large quantities of corporate-owned devices without the need of manually configuring each of them. End users just have to power on the devices and connect to the network to enroll in MDM. That means there’s minimal risk that users may enter incorrect information or select the wrong settings. Moreover, unauthorized devices cannot join your MDM environment, so your network and data are better protected.

Note:

Samsung Knox Mobile Enrollment is supported on Pro, Enterprise, Ultimate and, Ultra pricing plans.

What are the key features of Knox Mobile Enrollment?

  • Bulk enroll devices: Can add thousands of devices to your MDM at once.
  • Automatic installation and activation: As soon as the employees receive their device and power it on, the device automatically installs the required software and applies the security settings and configurations provisioned by the enterprise via the MDM client.
  • Auto re-enrollment: Once a device is enrolled, the MDM software will always be reinstalled even if the device is erased and factory reset.
  • Supports multiple MDM configurations per account: Organizations with a complex MDM environment can quickly set up thousands of devices and connect them with the right MDM profile using Knox Mobile Enrollment.

What are the requirements for Knox Mobile Enrollment?

  • A Samsung account.
  • A Knox portal account.
  • Samsung Knox devices running Knox version 3.0 or higher.
  • A Mobility Management provider supporting the Knox Mobile Enrollment program.
  • A KME supported browser (Internet Explorer, Firefox, and Chrome).
  • The correct firewall exemptions needed to extend beyond your local and protected network domain and securely connect to the Knox Mobile Enrollment server.

How to create a Samsung account?

  1. Go to Samsung account creation page.
  2. Click on Create account.
  3. Go through the terms and conditions and Agree.
    Set up your Samsung account – Agree the terms and conditions
  4. Enter your Email/Phone number, Password, First name, Last name and DOB. Carefully enter the answer for the security question you have chosen and click Next.
  5. The last step to activate the account is to follow the link sent to the email address you have provided or by verifying using the code sent to the phone number provided.
    create Samsung account – enter the details

How to create a Knox Portal account?

  1. Go to Knox Mobile Enrollment page.
  2. Navigate to the top right corner and click on Get Started.
  3. Enter your work email address under Business email. Keep in mind that personal email accounts, such as Gmail and Hotmail, are not accepted.
  4. Select the Knox solution that best fits your requirements from the following options: Knox Suite, Knox Configure, Knox Guard, Samsung Care + for Business, or Other Products & Services. If you wish to access individual Knox Suite services, such as Knox Mobile Enrollment, choose Knox Suite.
    Work email addresses can be used to create a Knox Admin portal account
  5. Create a Samsung account if one associated with the work email address doesn’t already exist.
  6. A verification email will be sent; once verified click Next.
  7. Verify your Samsung account details and optionally set up two-step verification, then click NEXT: COMPANY INFO.
  8. Provide your company’s details. Note that the location you select here determines whether your account is connected to the US or EU server. The US server corresponds to the Americas, while the EU server corresponds to the rest of the world. Afterward, click on NEXT: AGREEMENT.
  9. To proceed, agree to the terms and conditions by clicking on the AGREE button. This will submit your application for Knox services.
  10. Your application will undergo review, and you will receive an email notification once your company is approved for Knox services.

How to enroll and configure devices in your KME portal?

There are three steps by which you can complete Knox Mobile Enrollment:

Step 1: Create a profile.

Step 2: Add devices to your portal.

Step 3: Configure and assign devices to a profile.

Step 1: Create a profile

  • Sign in to Knox Portal account.
  • Select the Profiles option from the left-hand navigation menu > Click on CREATE PROFILE.
  • Select either of the following profile types:
    1. ANDROID ENTERPRISE: You can opt for an out-of-box Android Enterprise enrollment by choosing this option. If selected, you can manage devices running Android 11 or higher in either Profile Owner or Device Owner mode. Currently, Hexnode does not support Profile Owner mode, and the devices will be enrolled in Device Owner mode even when you choose Profile Owner mode. Additionally, there is no limit to the number of Android Enterprise profiles that can be created.
    2. ANDROID ENTERPRISE (ADVANCED): It offers enhanced capabilities beyond those provided by standard Android Enterprise profiles, granting you greater control over the EMM enrollment process and providing additional safeguards for securing information on lost or stolen devices.

    Select profile type for Knox Mobile Enrollment (KME)

In the case of creating Android Enterprise profile,

  1. First, you will need to define your profile details:
    • Profile Name – Enter an appropriate profile name to distinguish it from other profiles.
    • Description (Optional) – Describe the profile in a maximum of 200 characters.
    • EMM INFORMATION – Specify the EMM information for the profile.
    • Pick your EMM – Select a supported EMM. Select the option Hexnode For Work for Hexnode.
    • EMM Agent APK – Provide URL to the APK that will be downloaded to your devices. The URL to the APK is auto filled on selecting Hexnode For Work.
    • EMM Server URI (optional) – Enter the EMM server URL of your Hexnode UEM portal to which the devices get enrolled. For example, ‘https://yourportal.hexnodemdm.com’.

    Then, click CONTINUE.

  2. Subsequently, you will be directed to a page where you need to configure EMM settings and device configurations.
    • Custom JSON Data (as defined by EMM) – When setting up a KME profile compatible with Android Enterprise, you can choose between two management modes:
      • Device Owner mode
      • Work Profile on Company-Owned Device (WP-C) mode

      To configure either mode, copy the appropriate JSON (Java Script Object Notification format) string from Enroll > Platform-Specific > Samsung Knox in the Hexnode UEM portal and paste it into the ‘Custom JSON data‘ section of the Knox profile. This enables Hexnode UEM to identify and implement the custom configuration specified in the JSON data.

      In Knox Mobile Enrollment, you can include Custom JSON data to specify the management mode

    • Root/intermediate certificate (Optional) – Choose a root/intermediate certificate for installation during KME enrollment. Supported file formats include .cer, .pem, .crt, .der, and .ca-bundle. This feature is available on devices running Android 9 or later.
    • Dual DAR – To provide an additional layer of security for KME data, you can Enable Dual DAR. This feature encrypts the data with two layers of encryption, even when the device is in an unauthenticated or powered off state. After enabling dual encryption, you can optionally select a third-party cryptography app and add its package and signature.
    • QR code for enrollment (Optional): To enroll a device using a QR code, click Add A QR CODE to begin setting up the QR code enrollment.
      • Choose whether to allow QR code enrollment for devices that were not uploaded by a reseller.
      • Select one of the following options for including Wi-Fi data in the QR code:
        • No Wi-Fi network configuration to create a QR code with no network data.
        • Add Wi-Fi network configuration to QR code to include security data and proxy traffic gateway information within the generated QR code content.
    • You can select either of the options to disable/enable system apps for the profile:
      • Disable system applications – Ensures all system apps are disabled.
      • Leave all system apps enabled – Ensures all system apps are enabled. If this option isn’t selected, only a limited set of system apps (My Files, Contacts, and Play Store) are available in the device’s apps tray. Additionally, system apps cannot be installed or removed by the device user.
    • Privacy Policy, EULA and Terms of Service (Optional) – Add any End user license agreements, Terms of service or other user agreements that user must acknowledge before using the device. The Samsung Knox Privacy Policy is always shown. Click on Add legal agreement. Enter an Agreement title and Agreement text.
    • Company Name – Specify the MDM organization name displayed at the time of device enrollment. The field is auto filled with Mitsogo Inc.
    • Enrollment screens (Optional): Specify which screens are displayed during the enrollment process.
      • Show all Android Enterprise setup screens, including the screen(s) which can be skipped in Android 12 or above: This option ensures that all setup screens are displayed during the enrollment process, even those that can be skipped on Android 12 or newer versions.
      • Show the setup wizard after EMM enrollment: This option displays the Google Services screen after enrollment, which allows you to configure location settings, install app updates, send usage and diagnostic data, etc.

    Then, click on CREATE to generate the profile.

In the case of creating Android Enterprise (ADVANCED) profile,

  1. First, you will need to define your profile details:
    • Profile Name – Enter an appropriate profile name to distinguish it from other profiles.
    • Description (Optional) – Describe the profile in a maximum of 200 characters.
    • EMM INFORMATION – Specify the EMM information for the profile.
    • Pick your EMM – Select a supported EMM. Select the option Hexnode For Work for Hexnode.
    • EMM Agent APK – Provide URL to the APK that will be downloaded to your devices. The URL to the APK is auto filled on selecting Hexnode For Work.
    • EMM Server URI (optional) – Enter the EMM server URL of your Hexnode UEM portal to which the devices get enrolled. For example, ‘https://yourportal.hexnodemdm.com’.

    Then, click CONTINUE.

  2. Subsequently, you will be directed to a page where you need to configure EMM settings and device configurations.
    • Custom JSON Data (as defined by EMM) – When setting up a KME profile compatible with Android Enterprise, you can choose between two management modes:
      • Device Owner mode
      • Work Profile on Company-Owned Device (WP-C) mode

      To configure either mode, copy the appropriate JSON (Java Script Object Notification format) string from Enroll > Platform-Specific > Samsung Knox in the Hexnode UEM portal and paste it into the ‘Custom JSON data‘ section of the Knox profile. This enables Hexnode UEM to identify and implement the custom configuration specified in the JSON data.

      In Knox Mobile Enrollment, you can include Custom JSON data to specify the management mode

    • Root/intermediate certificate (Optional) – Choose a root/intermediate certificate for installation during KME enrollment. Supported file formats include .cer, .pem, .crt, .der, and .ca-bundle. This feature is available on devices running Android 9 or later.
    • Dual DAR – To provide an additional layer of security for KME data, you can Enable Dual DAR. This feature encrypts the data with two layers of encryption, even when the device is in an unauthenticated or powered off state. After enabling dual encryption, you can optionally select a third-party cryptography app and add its package and signature.
    • QR code for enrollment (Optional): To enroll a device using a QR code, click Add A QR CODE to begin setting up the QR code enrollment.
      • Choose whether to allow QR code enrollment for devices that were not uploaded by a reseller.
      • Select one of the following options for including Wi-Fi data in the QR code:
        • No Wi-Fi network configuration to create a QR code with no network data.
        • Add Wi-Fi network configuration to QR code to include security data and proxy traffic gateway information within the generated QR code content.
    • You can select either of the options to disable/enable system apps for the profile:
      • Disable system applications – Ensures all system apps are disabled.
      • Leave all system apps enabled – Ensures all system apps are enabled. If this option isn’t selected, only a limited set of system apps (My Files, Contacts, and Play Store) are available in the device’s apps tray. Additionally, system apps cannot be installed or removed by the device user.
    • Privacy Policy, EULA and Terms of Service (Optional) – Add any End user license agreements, Terms of service or other user agreements that user must acknowledge before using the device. The Samsung Knox Privacy Policy is always shown. Click on Add legal agreement. Enter an Agreement title and Agreement text.
    • Company Name – Specify the MDM organization name displayed at the time of device enrollment. The field is auto filled with Mitsogo Inc.
    • Enrollment screens (Optional): Specify which screens are displayed during the enrollment process.
      • Show all Android Enterprise setup screens, including the screen(s) which can be skipped in Android 12 or above: This option ensures that all setup screens are displayed during the enrollment process, even those that can be skipped on Android 12 or newer versions.
      • Show the setup wizard after EMM enrollment: This option displays the Google Services screen after enrollment, which allows you to configure location settings, install app updates, send usage and diagnostic data, etc.

    Then, click CONTINUE.

  3. After setup completion, you can configure advanced options for locking unenrolled devices:
    • Specify lock duration: Set the number of days before a device is locked if not enrolled with an EMM
    • Immediate lock for rooted or unofficial firmware: Choose to immediately lock such devices, bypassing the specified lock duration.
    • Lock screen message and contact details: Input a message and contact number to display on the lock screen for users to reach out in case of a locked device.

    Click CREATE to generate the profile.

Note:


Advanced profile settings are exclusively accessible with a valid Knox Suite license. Device enrollment will still take place without this license, but you won’t have access to advanced settings.

You can edit the profile any time by clicking on the profile name and delete the profile by selecting the profile and clicking Delete profile.

Step 2: Add devices to your portal

Sign in to your Knox Portal account. There are two options by which you can add device information:

  1. Reseller Devices – When a device is purchased from a reseller, they can automatically upload it to your account. The devices will appear in Devices > Uploads. For this, you must register your participating Samsung device reseller.
    1. Select the Resellers option from the left-hand navigation menu.
    2. Click on Register reseller.
    3. Contact the reseller to obtain their Knox Reseller ID. Once you have the Reseller ID, enter it and click on LOOKUP. The reseller’s details will then appear under Reseller found.
    4. Click REGISTER to proceed.
    5. To automatically accept all existing and future device uploads from this reseller, navigate to Auto Approval and select Automatically approve all uploads from this reseller. Then, under Auto Assign Profile after Approval, choose a default profile and license to assign to devices uploaded by this reseller after they are manually or automatically approved.
    6. Once configured, click SAVE.
  2. Knox Deployment Application – To enroll devices not purchased from an approved reseller there is a Knox deployment application.

    Steps:

    1. Download the Knox Deployment Application from the Google play store on any compatible device. Download from this link – Knox Deployment app.
    2. Launch the app and sign in using the Knox portal username and password. When you log in for the first time a welcome screen will be displayed for assisting you.
    3. Click on Profile. All profiles will be listed, or you can select Knox Mobile Enrollment profiles in particular. Choose the profile you want to associate with your devices.
    4. Choose a Deployment mode. Here you have 3 options: Bluetooth,or Wi-Fi direct.

      Bluetooth

      • Select Bluetooth as the device deployment mode.
      • Wi-Fi configuration – By configuring Wi-Fi for deployed devices, you can send a network configuration to the device so that it can connect the network.
        • Click on Wi-Fi for deployed devices > Allow.
        • Choose a network from the list or add one.
        • Type in the password and click OK.
        Note:

        Wi-Fi configuration will work only with gesture-based deployment on devices running Knox 3.2 and higher.

      • Click on Start deployment.
      • Set the Bluetooth duration which is 30 minutes by default and check the Accept automatically option to automatically accept pairing requests from devices to be enrolled.
      • Click OK > Start Deployment.
      • Follow the onscreen instructions and enroll the device.
      • Click on Finish deployment from the app.

      The device will be listed in the Knox portal with the tag Bluetooth.

      Wi-Fi Direct

      • Select Wi-Fi Direct as the Deployment mode.
      • Select Wi-Fi direct Setting : Choose whether the Wi-Fi direct connection is automatic or manual.
        • Accept manually : Requires the user to enter a generated PIN every time a connection is requested from an enrolling device.
          • Select Accept Manually from Select Wi-Fi setting.
          • Note down the PIN which is required for manual connection and tap Connect before the countdown expires.
          • An Accept sharing request screen appears prompting for the PIN before the countdown expires. Type the PIN and Click on Accept.
          • The enrollment information will be sent to the enrolling device via the newly established Wi-Fi direct connection.
          • Click on Finish deployment once it’s done.
        • Accept automatically : Automatically accept connection requests from enrolling device.
          • Select Accept automatically from Select Wi-Fi setting.
          • Tap Connect before the countdown expires.
          • The enrollment information will be sent to the enrolling device via the newly established Wi-Fi direct connection.
          • Click on Finish deployment once it’s done.

        Note:


        Wi-Fi Direct will work only with gesture-based deployment on devices running Knox version 3.2.1 and higher.

Step 3: Configure and assign devices to a profile

Note:


Hexnode supports the ‘Username Passthrough’ feature offered by KME to authenticate and enroll a device with minimal user interaction. You can optionally configure Username Passthrough while assigning profiles to devices.

To assign a profile to a single device:

  1. Select the Devices option from the left-hand navigation menu.
  2. Click on the required device.
  3. Fill the following fields on the device details window:
    • Profile: Assign a profile to the device.
    • Tags: Add relevant tags to categorize devices and easily search for them.
    • User ID: Enter a user ID if you wish to set up Username Passthrough for the device.
  4. Click Save.

To assign an MDM profile to a single device, navigate to the Device Details page in the Knox Admin Portal

To assign profile to more than one device:

  1. Select the Devices option from the left-hand navigation menu.
  2. Check the required device(s) > Click on Actions > Configure Devices.
  3. Configure the following fields in the window that pops up:
    • Modify the profile of selected devices: Assign a profile to the selected device(s). In addition, there are two other options which you can choose:
      • Keep current profiles – Select to keep the existing profile assignments for each device.
      • Clear profiles – Select this option to remove the existing profile assignments.
    • Add tags to selected devices: Add relevant tags to categorize devices and easily search for them.If the “Overwrite existing tag” checkbox is selected, any existing tags on the device will be replaced with the tags added here.
    • User credentials: Configure user credentials to set up Username Passthrough functionality for the selected devices. Choose any of following options:
      • Keep current credentials – Select this option to use the existing user credentials.
      • Clear user credentials – Select this option to clear the existing credentials.
      • Overwrite user credentials – Select this option to provide new credentials.
  4. Click Save.

Configuring multiple devices and assigning an MDM profile to them

To assign profiles in bulk

  1. Select the Devices option from the left-hand navigation menu.
  2. Select the necessary devices and download the device information as a CSV file. Modify the file by adding User ID information to the right of Device ID. You can also add passwords in the next column if needed.
  3. Click on BULK ACTIONS > ASSIGN USER CREDENTIALS AND PROFILE.
  4. Upload the edited CSV file.
  5. Modify the profile of the selected devices and overwrite existing tags if needed.
  6. Click Submit.

Assigning MDM profiles to multiple devices in bulk using a CSV file

How to add device users to your KME portal?

To add a new device user

  1. Select Device Users option from the left-hand navigation menu.
  2. Click add device users.
  3. Enter User ID and Password > Click on Add.

A new device user can be added to the Knox Admin portal

To edit and update the details of an already existing user

  1. Select Device Users option from the left-hand navigation menu.
  2. Click on the user and edit the details.
  3. Update the details > Save.

Editing and updating device user information in the Knox Admin portal

You can remove an already existing user

  1. Select Device Users option from the left-hand navigation menu.
  2. Select the check box of the required device user.
  3. Go to Action > Delete Device Users.
  4. A pop-up arises. Select Delete.

Importing a device user

You can upload a group of user credentials to assign them to your devices in the future. To include user credentials in the device list, create a CSV file with one row (line) per device (with a maximum limit of 10,000 devices/rows).

  1. Select Device Users option from the left-hand navigation menu.
  2. Select the check box of the required device user.
  3. Click on Add Device Users and click add multiple device users.
  4. Refer the instructions for creating a CSV file. Select Got it when you are done reading the instructions.
  5. Upload the CSV file > Submit.

Uploading a group of user credentials to assign them to devices
 

 

  • Enrolling Devices
  • Managing Android Devices