Enroll devices

There are several ways to enroll your devices in Knox Asset Intelligence. To start, you need to install the Knox Asset Intelligence agent on the devices through one of the following methods:

• Install the agent from Google Play
• Enroll with an EMM
• Enroll with OOBE (out-of-box experience)

Enrollment steps

Enroll with an EMM

You can easily deploy the Knox Asset Intelligence agent to your devices through your EMM and the Google Play Store. The following procedures prescribe the general actions you need to perform on your EMM — refer to your EMM’s documentation for more precise descriptions of how to accomplish these actions.

To enroll a device in Knox Asset Intelligence with most EMMs:

1. Sign in to your EMM console.

2. In an Android Enterprise device profile or payload, add Knox Asset Intelligence on public Google Play as an app.

3. (Optional) If you want to collect location data on your devices, set the app permission policy to Grant. If your devices are running Android 12 or higher, permissions are granted differently based on your device management mode.

   • For fully managed deployments, EMMs can pre-grant location permissions during enrollment.
   • For work profile on company-owned device deployments, device users must manually grant location permissions to the agent when prompted before Knox Asset Intelligence can collect location data from the device.

4. Assign the Knox Asset Intelligence agent to your profile. Make sure to configure the app to auto-launch after installation.

5. Save the device profile or payload and assign it to the target devices.

To enroll a device in Knox Asset Intelligence with Knox Manage (KM):

1. Sign in to the KM console.

2. Begin following the instructions in Add public applications using Google Play Store.

3. In Step 4, enter Knox Asset Intelligence as the app to add.

4. On the Assign Application page, set Auto-run after installation to Yes.

5. Go to Profile.

6. Create a new Android Enterprise profile, or edit an existing one.

7. On the Set Policy page, go to Application.

8. (Optional) If you want to collect location data on your devices, for the App Permission policy, set the Device Controls and Work Profile Controls to Grant. If your devices are running Android 12 or higher, permissions are granted differently based on your device management mode.

   • For fully managed deployments, EMMs can pre-grant location permissions during enrollment.
   • For work profile on company-owned device deployments, device users must manually grant location permissions to the agent when prompted before Knox Asset Intelligence can collect location data from the device.

9. Click Save & Assign. The Assign Profile page opens.

10. Select the group or organization to assign the app to, then click Assign & Apply.

Enroll with OOBE

Knox Asset Intelligence also supports out-of-box experience (OOBE), allowing you to automatically enroll devices when the device is turned on for the first time, or after a factory reset.

When the device is turned on during OOBE, the Knox enrollment service checks whether the device:

• Was uploaded by a reseller,
• Is registered in Knox Asset Intelligence with the Not enrolled status, and
• Has the auto-enrollment feature enabled.

If the device user has already completed the setup wizard, the device must be enrolled either manually or through an EMM policy.

If the three preceding pre-conditions are satisfied, the enrollment service attempts to download the Knox Asset Intelligence agent. If the agent download fails, a notification prompts the device user to retry the download. This notification persists until the download is complete.

If the device successfully installs the agent, the agent launches in the background and automatically starts the enrollment process, regardless of whether it received runtime permissions. On devices with a work profile, the agent installs in the work profile. A notification displays on the device while enrollment is in progress.

In the event of an enrollment failure, the device notifies the user. They can either tap Retry on the notification or manually launch the agent to attempt enrollment again.

Depending on your device’s enrollment type, the device either asks for or receives runtime permissions before enrollment. If location permissions aren’t granted to the agent, a notification prompts the device user to grant location permissions with options to Allow or Deny. Regardless of the device user’s choice, only location data collection is affected — enrollment isn’t impacted.

Auto-enrollment

Devices enrolling in Knox Asset Intelligence through OOBE must be explicitly granted permission to do so from either:

• The Resellers menu
• The Devices menu

Only admins with the Manage devices permission can enable or disable auto-enrollment for devices.

In the Resellers menu

If you configured a reseller to automatically approve all device uploads from a reseller, you can also choose to automatically enroll those devices when they’re turned on for the first time:

1. In the Resellers menu, select a reseller name.
2. In the reseller details panel, enable Automatically enroll all devices uploaded from this reseller when devices are turned on for the first time (out-of-box experience). This option is only available if Automatically approve all devices uploaded by this reseller is also enabled.
3. Click SAVE.

Current and future uploads from the reseller are then set to automatically enroll through OOBE, and have the Enabled status.

In the Devices menu

The device list shows the auto-enrollment status of each device, which is either Enabled or Disabled. You can also click a device ID to check this status through the device details.

In the Devices menu, you can enable or disable auto-enrollment for devices by:

• Selecting one or more devices not in the Pending status and clicking Actions > Enable auto-enrollment or Disable auto-enrollment,
• Uploading a CSV file containing devices you want to enable or disable auto-enrollment for, o
• Enabling Automatically enroll all devices uploaded from this reseller when devices are turned on for the first time (out-of-box experience) for a device upload in the Uploads tab.

If you want to upload a CSV file containing devices to enable or disable auto-enrollment for:

1. In the BULK ACTIONS tab, select ENABLE AUTO-ENROLLMENT or DISABLE AUTO-ENROLLMENT.
2. Using the provided template, upload a CSV file with only device IDs.

By default, current devices and all subsequent devices that are approved have auto-enrollment disabled. If you want your devices to automatically enroll after a factory reset or when they’re turned on for the first time, enable auto-enrollment for them.

Enrollment flows

Depending on which method you choose, the enrollment process differs slightly. This section describes the different enrollment flows you might encounter, based on your device fleet and preferred deployment mode.

Knox Asset Intelligence supports the following deployment modes and enrollment methods:

1. Fully managed devices enrolled through an EMM
2. Devices with a work profile enrolled through an EMM
3. Fully managed devices enrolled through OOBE
4. Devices with a work profile enrolled through OOBE

Enrolling fully managed devices through an EMM

If you’re enrolling devices in fully managed mode through an EMM, you can pre-grant location permissions and skip prompting the device user for them.

If you pre-granted location permissions and Knox Asset Intelligence is set to auto-launch through the Knox Service Plugin:

1. Enrollment starts in the background.
2. After enrollment completes, the agent pushes a notification.
3. If the device user taps the notification, the Knox Asset Intelligence terms & conditions are shown.
4. If the device user taps Continue, the agent status information displays.

If you pre-granted location permissions and Knox Asset Intelligence is set to auto-launch through your EMM:

1. The Knox Asset Intelligence agent launches in the foreground.
2. After enrollment completes, the agent status information displays automatically.

If you didn’t pre-grant location permissions and Knox Asset Intelligence is set to auto-launch through the Knox Service Plugin:

1. Enrollment starts in the background.
2. After enrollment completes, the agent pushes a notification.
3. If the device user taps the notification, a popup opens and asks them to grant location permissions to the Knox Asset Intelligence agent.
4. After the device user acknowledges the popup, the Knox Asset Intelligence terms & conditions are shown.
5. If the device user taps Continue, the agent status information is displayed.

If you didn’t pre-grant location permissions and Knox Asset Intelligence is set to auto-launch through your EMM:

1. The Knox Asset Intelligence agent launches in the foreground.
2. After enrollment completes, the Knox Asset Intelligence agent pushes a notification.
3. If the device user taps the notification, a popup opens and asks them to grant location permissions to the agent.
4. After the device user acknowledges the popup, the Knox Asset Intelligence terms & conditions are shown.
5. If the device user taps Continue, the agent status information is displayed.

Enrolling devices with a work profile through an EMM

If you’re enrolling devices with a work profile through an EMM, location permissions can’t be granted by default. A popup prompts the device user to grant permissions.

If Knox Asset Intelligence is set to auto-launch through the Knox Service Plugin:

1. Enrollment starts in the background.
2. After enrollment completes, the Knox Asset Intelligence agent pushes a notification.
3. If the device user taps the notification, a popup opens and asks them to grant location permissions to the agent.
4. After the device user acknowledges the popup, the Knox Asset Intelligence terms & conditions are shown.
5. If the device user taps Continue, the agent status information is displayed.

If Knox Asset Intelligence is set to auto-launch through your EMM:

1. The Knox Asset Intelligence agent launches in the foreground.
2. After enrollment completes, a popup opens and asks them to grant location permissions to the agent.
3. After the device user acknowledges the popup, the agent status information is displayed.

Enrolling fully managed devices through OOBE

If you’re using out-of-box experience (OOBE), location permissions are automatically granted because the device is fully managed, supporting seamless deployment. If you don’t want location permissions to be automatically granted, deploy the Knox Asset Intelligence agent with an EMM instead.

1. The Knox Asset Intelligence agent is downloaded on the device.
2. Enrollment starts in the background.
3. After enrollment completes, the agent pushes a notification.
4. If the device user taps the notification, the Knox Asset Intelligence terms & conditions are shown.
5. If the device user taps Continue, the agent status information is displayed.

Enrolling devices with a work profile through OOBE

If you’re using out-of-box experience (OOBE) and enrolling your devices with a work profile, location permissions can’t be granted by default. A popup prompts the device user to grant those permissions.

1. The Knox Asset Intelligence agent is downloaded on the device.
2. Enrollment starts in the background.
3. After enrollment completes, the agent pushes a notification.
4. If the device user taps the notification, a popup opens and asks them to grant location permissions.
5. After the device user acknowledges the popup, the Knox Asset Intelligence terms & conditions are shown.
6. If the device user taps Continue, the agent status information is displayed.