Knox Mobile Enrollment

Knox Mobile Enrollment is an enrollment method provided that streamlines the enrollment of Samsung devices into MDM solutions. It allows admins to enroll the devices out-of-the-box by performing a one time setup. In addition to automating the enrollment, the apps, documents and profiles will be distributed to the device upon enrollment to simplify device provisioning.

Only devices purchased from authorised resellers can be enrolled using Knox Mobile Enrollment.

We have made your job simpler! Learn how to perform out-of-the-box Samsung Knox Mobile Enrollment using MDM, in under 5 minutes through this demo video.

There are 4 stages in Knox Device Enrollment, they are:  

• Creating a Knox Account
• Integrating with MDM
• Adding Devices
• User Assignment

Creating Knox Account

A Knox account is required to leverage Samsung Knox enrollment for enrolling Samsung devices into MDM.  To create a Knox account, refer this.

Integrating with MDM

After creating the Knox enrollment, follow the steps given below to integrate MDM with the Knox enrollment portal to initiate enrollment

1. On the Samsung Knox Enrollment portal, login with your Knox account credentials.
2. Click on MDM Profiles and select Create Profile.
3. Select Device Owner as the profile type. This will ensure the devices enrolled using Knox Enrollment are automatically provisioned as Device Owner. Device Admin is the lgeacy management method and hence it is recommended to select Device Owner as the profile type.
4. Specify the name of the profile, select ManageEngine as the MDM and specify the server to which the devices should be added upon enrollment under MDM Server URI. The MDM Agent APK is pre-filled and this will be used to automatically install the ManageEngine MDM app after enrollment.
5. Enter the Custom JSON data available on the MDM server. It can be found by navigating to Enrollment -> Knox Mobile Enrollment. Copy the text available beside Custom JSON data and paste in on the Knox portal.
6. You can also enable Dual DAR for improved security. Additional licenses must be purchased to enable Dual DAR
7. Under Device Settings you can choose whether you want the system apps on the devices to be enabled by default or disable them based on your company's compliance policies. NOTE: MDM by default disabled a few system apps upon enrollment.
8. Click on Create to complete the integration.

Adding Devices

Admins can automate the device upload by entering the Reseller Details and provice the resellers with their Customer ID. This will allow the resellers to assign the devices purchased from them directly to the organization's account. Follow the steps given below to add the reseller details:

1. Click on the Resellers tab on the Knox Mobile Enrollment portal.
2. Click on Register Reseller and enter the Reseller ID. Click on Look Up to select the reseller associated to the specified Reseller ID.
3. Any devices added by these resellers need to be approved. You can choose to automatically approve and assign specific profiles to these pages by checking the Automatically approve all devices uploaded by this reseller and selecting the required profile.
4. Click on Save to save the reseller details and configured settings

If you have not selected auto-approval of devices, the devices will be available in Device -> Uploads. You can download the device list as a CSV file and specify the profiles to be associated to the devices and upload it back on the Knox Mobile Enrollment console.

User Assignment

After the devices are added to the MDM server, they'll be available in Enrollment -> Knox Mobile Enrollment. Admins can complete the enrollment by assigning these devices to users either individually or in bulk using the CSV file. You can also automate user assignment by enabling the users to enter their directory service credentials upon device activation. You can optionally select a Group to which the devices will be added upon enrollment. This will help automate the distribution of apps, documents and profiles to devices. To assign users, follow the steps given below:

• On the MDM server, click on Enrollment from the top menu and select Knox Mobile Enrollment, from the left pane.
• All the devices enrolled via Knox Enrollment but yet to be assigned users are listed here.
• You can assign users on a device-to-device basis, by clicking on the Assign User option present under Action. You can also assign users in bulk, by click on the Assign Users button, present above the table and uploading a CSV file, based on the specifications given here.

Automate User Assignment

• To automate user assignment, select User for the option Device to be activated by.
• If you haven't configured a directory service, you will be prompted to configure directory services. Mobile Device Manager Plus supports multiple directory services:
  • Active Directory
  • Azure AD
  • G Suite
  • Okta

If you are using MDM Cloud, Zoho Accounts is the default directory services used for authentication. You can also choose to configure Active Directory or Azure AD for authentication.

Sample CSV Format

SERIAL_NUMBER,USER_NAME,DOMAIN_NAME,EMAIL_ADDRESS,GROUP_NAME

C07Q853LG9RM,ANDREW,,andrew@zylker.com,zylker_drivers

NOTE:

1. The fields Serial Number, User Name, Email Address and Group Name are mandatory. All the other fields are optional. Ensure the specified group name is already created in the MDM server. If values are not provided, default values will be taken.
2. The default values for various non-mandatory fields are:
   Domain Name -- MDM
   Owned By -- Corporate
3. If multiple groups are specified, the group names must be separated with a slash (/)
4. The first line of the CSV is the column header and the columns can be in any order.
5. Blank column values should be comma separated.
6. If the column value contains comma, it should be specified within quotes.

Removing devices from Knox Mobile Enrollment

One of the major benefits for IT admins in enrolling devices using Samsung Knox Mobile Enrollment is that users cannot remove the ME MDM app from Samsung devices to unmanage them. If the organization needs to remove MDM from Samsung devices enrolled using Knox Mobile Enrollment, they can be removed from the Samsung Knox portal.

Follow the steps given below to removed devices enrolled using Samsung Knox Mobile Enrollment

1. Login to the Samsung Knox portal.
2. Select Samsung Knox Mobile Enrollment and click on Devices.
3. Select the device and click on Actions.
4. If you select the Clear profile option, the profiles imposed on the device will be removed. The device will not be enrolled under MDM management after this.
5. If you select the Delete device option, the device details will be erased from the Samsung Knox portal.

If the devices need to be enrolled again through Knox Mobile Enrollment, the Reseller needs to be informed to add the devices again to the Knox portal.