Samsung Knox Mobile Enrollment
Knox Mobile Enrollment is an enrollment method that streamlines the enrollment of Samsung Knox devices into MDM solutions. It allows admins to enroll the Samsung devices out-of-the-box by performing a one-time setup. In addition to automating device enrollment, Samsung Knox Mobile Enrollment facilitates the apps, documents and profiles to be distributed to the device upon enrollment to simplify device provisioning.
Only devices purchased from authorized resellers can be enrolled using Samsung Knox Mobile Enrollment.
Note: BYOD Samsung devices (profile owner devices) can be enrolled using Invite enrollment and Self enrollment.
We have made your job simpler!
Learn how to perform out-of-the-box Samsung Knox Mobile Enrollment using MDM, in under 5 minutes through this demo video.
There are 4 stages in Knox Device Enrollment, they are:
Creating Knox Account
A Knox account is required to leverage Samsung Knox enrollment for enrolling Samsung devices into MDM. To create a Samsung Knox account, refer this.
Integrating with MDM
After creating the Knox enrollment, follow the steps given below to integrate MDM with the Knox enrollment portal to initiate enrollment
- On the Samsung Knox Enrollment portal, login with your Knox account credentials.
- Click on Profiles under the Knox Mobile Enrollment tab and select Create Profile.
- Select Android Enterprise as the profile type. This will ensure the devices enrolled using Knox Enrollment are automatically provisioned as Device Owner. Device Admin is the legacy management method and hence it is recommended to select Android Enterprise as the profile type.
- Specify the name of the profile, select ManageEngine as the MDM.
- Specify the server to which the devices should be added upon enrollment under MDM Server URI.
- On the KME portal, under MDM Agent APK, specify the link to download the agent app on devices automatically after enrollment. You can choose to install the latest ME MDM app version publicly available in the Play Store or the stable app version hosted in our server.
- Navigate to Enrollment -> Knox Mobile Enrollment and select the Management Type.
Full Device Management: Admin has full control over the device.
Workspace Mangement: Admin can manage only the corporate apps and data by creating a separate work container on the device. - Copy the text available beside Custom JSON data and paste in on the Knox portal.
- You can also enable Dual DAR for improved security. Additional licenses must be purchased to enable Dual DAR
- Under Device Settings you can choose whether you want the system apps on the devices to be enabled by default or disable them based on your company's compliance policies. NOTE: MDM by default disabled a few system apps upon enrollment.
- Click on Create to complete the integration.
Adding Devices
Devices purchased from verified Resellers:
Admins can automate the device upload by entering the Reseller Details and provice the resellers with their Customer ID. This will allow the resellers to assign the devices purchased from them directly to the organization's account. Follow the steps given below to add the reseller details:
- Click on the Resellers tab on the Knox Mobile Enrollment portal.
- Click on Register Reseller and enter the Reseller ID. Click on Look Up to select the reseller associated to the specified Reseller ID.
- Any devices added by these resellers need to be approved. You can choose to automatically approve and assign specific profiles to these pages by checking the Automatically approve all devices uploaded by this reseller and selecting the required profile.
- Click on Save to save the reseller details and configured settings
If you have not selected auto-approval of devices, the devices will be available in Device -> Uploads. You can download the device list as a CSV file and specify the profiles to be associated to the devices and upload it back on the Knox Mobile Enrollment console.
Devices which are not purchased from verified Resellers:
The Knox Deployment App provides the flexible option to IT admins needing to enroll end-user devices without having a reseller. The Knox Deployment App is a mobile application available from the Google Play Store that is uniquely designed to help streamline the enterprise deployment of Samsung phones and tablets running Knox 2.8 or higher.
Note: The Knox Deployment App does not support the enrollment of Samsung devices without Knox.
- Configure a profile in KME portal for forwarding devices to our MDM.
- Install this Knox Deployment App on an administrator's Android device. Login using the Knox admin account, and configure the Knox Deployment App to use the profile created in KME portal.
- Choose a deployment mode: NFC, Bluetooth, and Wi-Fi Direct.
- NFC: You bump this admin's device with the devices that needs to be enrolled, and they'll get the profile and enrollment is complete.
- Bluetooth/Wi-Fi Direct: Set a expiry time, and any device that connects to this admin's device and goes to the URL that's said to be in the Knox Deployment App, can get the profile, and enrollment is complete.
Note :
Logging into the Knox Deployment App adds the Samsung account in the device settings. i.e. If there are any other Samsung accounts already present, then they have to remove it. However, this case is not applicable for the Admin's device.
User Assignment
After the devices are added to the MDM server, they'll be available in Enrollment -> Knox Mobile Enrollment. Admins can complete the enrollment by assigning these devices to users either individually or in bulk using the CSV file. You can also automate user assignment by enabling the users to enter their directory service credentials upon device activation. You can optionally select a Group to which the devices will be added upon enrollment. This will help automate the distribution of apps, documents and profiles to devices. To assign users, follow the steps given below:
- On the MDM server, click on Enrollment from the top menu and select Knox Mobile Enrollment, from the left pane.
- All the devices enrolled via Knox Enrollment but yet to be assigned users are listed here.
- You can assign users on a device-to-device basis, by clicking on the Assign User option present under Action. You can also assign users in bulk, by click on the Assign Users button, present above the table and uploading a CSV file, based on the specifications given here.
Automate User Assignment
- To automate user assignment, select User for the option Device to be activated by.
- If you haven't configured a directory service, you will be prompted to configure directory services. Mobile Device Manager Plus supports multiple directory services:
- Active Directory
- Entra ID(formerly Azure AD)
- G Suite
- Okta
If you are using MDM Cloud, Zoho Accounts is the default directory services used for authentication. You can also choose to configure Active Directory or Entra ID(formerly Azure AD )for authentication.
Sample CSV Format
USER_NAME,DOMAIN_NAME,EMAIL_ADDRESS,PLATFORM_TYPE,OWNED_BY,GROUP_NAME,UDID
ANDREW,,andrew@mobiledevicemanagerplus.com,iOS,Personal,IOS_Group,00f0ba8f7a6c41cca9cc5fd6b7ee666b
Note :
- The CSV file should contain the following fields: User Name, Domain Name, Email Address, Platform Type, Owned By, Group Name and UDID.
- UDID is applicable only for iOS devices.
- The fields User Name, Email Address and Platform Type are mandatory. All the other fields are optional. If not provided, default values are taken.
- The default values for various non-mandatory fields are:
Domain Name -- MDM
Owned By -- Corporate
Group Name -- Default Group for given Owned By & Platform Type. - The first line of the CSV is the column header and the columns can be in any order.
- Blank column values should be comma separated.
- If the column value contains comma, it should be specified within quotes.
Removing devices from Knox Mobile Enrollment
One of the major benefits for IT admins in enrolling devices using Samsung Knox Mobile Enrollment is that users cannot remove the ME MDM app from Samsung devices to unmanage them. If the organization needs to remove MDM from Samsung devices enrolled using Knox Mobile Enrollment, they can be removed from the Samsung Knox portal.
Follow the steps given below to removed devices enrolled using Samsung Knox Mobile Enrollment
- Login to the Samsung Knox portal.
- Select Samsung Knox Mobile Enrollment and click on Devices.
- Select the device and click on Actions.
- If you select the Clear profile option, the profiles imposed on the device will be removed. The device will not be enrolled under MDM management after this.
- If you select the Delete device option, the device details will be erased from the Samsung Knox portal.
If the devices need to be enrolled again through Knox Mobile Enrollment, the Reseller needs to be informed to add the devices again to the Knox portal.
To retire a device completely, it needs to be manually removed from Samsung Knox portal as well.