Menu

Knox Deployment App

The Knox Deployment App is a mobile application uniquely designed to help streamline the enterprise deployment of Samsung phones and tablets running Knox 2.7.1 or higher. The Knox Deployment App enables customers to seamlessly deploy their devices through Knox Configure (KC).

About

The Knox Deployment App provides the flexible option to IT admins needing to bulk enroll end-user devices to KC without having a reseller. Using this app allows IT Admins to reduce their bulk deployment time, and easily locate the devices within the KC console upon enrollment.

Prerequisites

To support Bluetooth, NFC, or Wi-Fi Direct Knox Deployment App enrollments, an IT admin must:

  1. Secure a Knox Portal account and ensure:
    • Your devices support the Bluetooth or NFC protocols. Check your device specification if unsure.
    • You have at least one profile configured in Knox Configure or Knox Mobile Enrollment portal
  2. Secure the appropriate licenses to enroll devices (through the Samsung Knox Portal).
  3. A Knox Portal account. For more information, go to: Sign up for Knox Configure.
  4. Install the Knox Deployment on an admin/primary device, and login using their Knox Portal ID/password.
  5. Select a KC profile on the admin/primary device to apply to the end-user devices.
NOTE — The Knox Deployment App does not support the KC enrollment of Samsung devices without Knox (Other Samsung devices).

Bluetooth enrollment

To support Bluetooth-based enrollment, an IT admin installs the Samsung Knox Deployment App on a dedicated admin/primary smartphone or tablet device, and selects existing KC configuration profiles to update a separate end user device. If the user’s device is within proximity of the admin/primary device, the user device connects to the admin device wirelessly via Bluetooth without a PIN or password requirement. For more information, go to: Bluetooth deployment.

NFC enrollment

With Near Field Communication (NFC) enrolments, a non-B2B device is “bumped” (held closely together) with another smartphone device with Knox Deployment App running and scanning in NFC mode. The dedicated primary NFC device displays profiles available for enrollment and end user device enrollment begins once an IT admin selects a profile. The NFC enrollment option is not available to tablet devices. For more information, go to: NFC deployment.

Wi-Fi Direct enrollment

Wi-Fi Direct supported devices can connect directly to each other via a WLAN, without joining a traditional wireless network or Wi-Fi hotspot. Once enabled, the device automatically scans for other supported Wi-Fi direct devices. Once discovered, specific devices can be selected for enrollment data transfer. For more information, go to Wi-Fi Direct deployment.

NOTE — Using the Knox Deployment App does not apply the profile to the admin/primary device. It only broadcasts the profile to the devices in the vicinity. Only end-user devices within physical proximity of the admin/primary device with an active Knox Deployment App can enroll to KC.

NOTE —The screens utilized within this guide are from a smartphone. If running the Knox Deployment App on a tablet, the information on the screen would be identical, just optimized to fit the tablet’s display capabilities.

App version information

Knox Deployment App version information and available open source licenses can be referenced from within the ABOUT screen. Samsung recommends you periodically compare the Knox Deployment App’s version to the latest available from Samsung to ensure you have the latest feature set and functionality available.

To launch the Knox Deployment App’s ABOUT screen:

  1. Invoke the drop-down menu from the top, right-hand, side of the device and select About.

  2. Refer to the listed version number and note the version. If needed, select Open source licenses to review the available open source licenses available to your Knox deployment.

Using the Knox Deployment App

This section describes the screen flow navigation for a typical enrollment using the Knox Deployment App.

  1. Select SIGN IN once the Knox Deployment App launches on the device.
    2. NOTE — If the Knox Deployment App is already running on the device, the initial screen does not display, and the application displays the sign in screen.

  2. Enter the Knox Portal Username and Password to login into the Knox Deployment App.

  3. Select Remember me to display and utilize the username in subsequent Knox Deployment App logins.
    4. NOTE —If you encounter difficulty logging in to the Knox Deployment App, ensure you have either a valid Knox Portal account with privileges for KC. If that is not the issue, select Forgot your email or password? for assistance retrieving your login credentials.
  4. Select SIGN IN to proceed with the device login.

Once you have successfully logged into the Knox Deployment App, a WELCOME screen displays providing first-time options for profile selection and deployment mode.

NOTE —Once the Knox Deployment App profile selection and configuration mode are set, the selected options display within their respective fields, the START DEPLOYMENT option enables, and the Welcome portion of screen no longer displays in subsequent logins.

Profile selection

Select a profile to apply specific device settings to a primary/admin device using to enroll end user devices.

To select a configuration profile using the Knox Deployment App:

  1. Select Tap here to select a profile from the Welcome screen display a list of profile selection options.

  2. Optionally filter whether All profiles are listed for potential selection or just Knox Configure or Knox Mobile Enrollment defined profiles. The most recent profile additions display first within their respective categories.
    • Each listed profile has a brief description to help determine its relevance to a potential Bluetooth device enrollment using the Knox Development App. An important distinction to the profile description is the profile’s relevance to either phones and tablets or wearable devices.
    • If needed, select the Search icon near the top of the screen to display a search field where existing profiles can be located and displayed. The search function only locates filtered profiles.
    • If there are no profiles available, a profile requires creation using the Knox Configure console at www.samsungknox.com. For more information on deploying devices with a Knox Configure profile, go to: Deploying devices with a profile.

  3. Select a listed profile. Once selected, the profile displays upon subsequent logins. The profile is now ready for Bluetooth, NFC, or Wi-Fi Direct deployment mode selection as described in the sections that follow.

Bluetooth deployment

Once profiles are set on the primary admin device, the IT admin needs to set Bluetooth as the deployment mode and define the Bluetooth duration interval. End users can then enroll their device by entering the appropriate URL via KC.

To deploy devices using the KDA:

  1. From the admin primary device, navigate to the SELECT DEPLOYMENT MODE screen and select Bluetooth as the device deployment mode.

  2. If setting up a Wi-Fi connection resource for the device, select Wi-Fi for deployed devices, and select either a saved or available network resource for connection. Wi-Fi credentials are validated upon input, so ensure they are correct. Using Wi-Fi, a device can connect to a specified configured network to communicate externally.The following restrictions apply for the Wi-Fi for deployed devices setting:
    • Only out-of box KC trigger (+ gesture) deployments are supported.
    • The receiver device must be utilizing Knox version 3.2 or above.
    • Only Note9 and Tab S4 and above devices are supported.
    • Not supported on wearable devices.

    NOTE — Both the primary/admin and receiver devices require an Internet connection (Wi-Fi or cellular) for this feature to work.
  3. Set the Bluetooth Duration for either 30 minutes, 1 hour, 3 hours, 5 hours or 8 hours. Select OK to save the update.
    • The Bluetooth duration is deployment activation period for end user devices receiving their profile configuration from the IT admin’s primary device. Once the set duration expires, devices cannot enroll with the Knox Deployment App, and the process must be repeated to continue the enrollment of other required devices.
      • NOTE — The Accept automatically option auto accepts pairing requests from enrolling devices. When selected, the pairing dialogue does not display on either the primary or receiving device.
      NOTE — The device must remain on for the entire Bluetooth duration, so ensure battery resources are available if selecting a longer duration option.

  4. From the Knox Deployment screen, the admin selects START DEPLOYMENT to initiate the defined Bluetooth Duration interval.
    5. NOTE — As long as the defined Bluetooth Duration interval is still counting down, and user has not put the application in the background, the device’s display will not time out.
    NOTE — Bluetooth must be turned on and running on the device to start deployment. If Bluetooth is off, a prompt displays and the admin must select TURN ON to enable Bluetooth.

  5. The device’s end user must go to https://me.samsungknox.com and complete the instructions provided.
  6. The end user then selects FINISH DEPLOYMENT to complete the enrollment.
    7. NOTE — Once completed, the Bluetooth enrolled profile displays within KC with other enrolled profiles. If necessary, refer to the device’s About screen for Knox Deployment App version information and open source license availability.

NFC deployment

Once profiles are set on the primary admin device, the IT admin needs sets NFC as the deployment mode. If you are NFC enrolling a device using both KC and KME, use KC first.

To deploy devices using the KDA:

  1. From the admin primary device, navigate to the SELECT DEPLOYMENT MODE screen and select NFC as the device deployment mode.
    2. NOTE — To deploy, both NFC and Android Beam must be on within the device’s Settings menu.

  2. If setting up a Wi-Fi connection resource for the device, select Wi-Fi for deployed devices, and select either a saved or available network resource for connection. Using Wi-Fi, a device can connect to a specified configured network to communicate externally. The following restrictions apply for the Wi-Fi for deployed devices setting:
    • Only out-of box KC (+ gesture) deployments are supported
    • The receiver device must be utilizing Knox version 3.2 or above
    • Only Note9 and Tab S4 and above devices are supported
    • Not supported on wearable devices
    NOTE — Both the primary and receiver device require an Internet connection (Wi-Fi or cellular) for this feature to work.

  3. Beam enrollment information to the receiving device by holding the primary/admin device back-to-back with an NFC enabled and compatible device and then pressing the screen as illustrated below.

  4. Select FINISH DEPLOYMENT on primary/admin device once the NFC beam is completed with the end user device.
    5. NOTE — Once completed, the NFC enrolled profile displays within KC with other enrolled profiles. If necessary, refer to the device’s About screen for Knox Deployment App version information and open source license availability.

Wi-Fi Direct deployment

Wi-Fi direct devices can connect directly to each other over a WLAN without a wireless network or Wi-Fi hotspot. Once enabled, the device automatically scans for other supported Wi-Fi direct devices. Once located, specific devices can be identified for data transfers.

NOTE - To successfully enroll in KC using Wi-Fi Direct, the receiver device must be utilizing Knox version 3.2.1 and above or Android P OS and above. Wi-Fi Direct is not supported on wearable devices.

Only out-of-box "trigger" deployments are supported for Wi-Fi Direct device deployments. Trigger deployments utilize a plus sign (+) gesture on a device's Welcome screen to start an out-of-box deployment, and bypass the setup wizard.

To enroll and deploy devices using the KDA Wi-Fi Direct option:

  1. From the admin primary device, navigate to the SELECT DEPLOYMENT MODE screen and select Wi-Fi Direct as the device deployment mode.

  1. Once Wi-Fi Direct is selected as the deployment mode, specify whether the Wi-Fi Direct connection is automatic or manual from the following two options:

  • Accept manually - Requires a device user to enter a system generated PIN every time a connection is requested from an enrolling device. This is the default setting, and provides greater security and data protection.
  • Accept automatically - Automatically accept connection requests from enrolling devices.

Both of these Wi-Fi Direct connection options are described in the sections that follow.

Accept connection requests automatically

If wanting to establish an automatic Wi-Fi Direct connection:

  1. Select Accept automatically when prompted from the Select Wi-Fi Direct screen.

  1. Select Connect before the countdown expires to initiate a Wi-Fi Direct connection with the primary/admin device. This enables the listed device to share enrollment information via the newly established Wi-Fi Direct connection.
  2. Select FINISH DEPLOYMENT on primary/admin device to complete the enrollment date transfer.

Accept connection requests manually

If wanting to establish a manual Wi-Fi Direct connection:

NOTE — A Wi-Fi Direct manual connection requires a PIN be entered correctly before the expiration of a timer. Ensure you correctly document the displayed PIN before pressing Connect to initiate the countdown timer.
  1. Select Accept manually when prompted from the Select Wi-Fi Direct screen.

  1. Document the displayed PIN needed to proceed with the manual Wi-Fi Direct connection.
  2. Select Connect before the countdown expires to proceed. An Accept sharing request screen displays prompting for the required PIN before the countdown timer expires.
  3. Type the required PIN and select Accept. This enables the listed primary/admin device to share enrollment information via the newly established Wi-Fi Direct connection.
  4. Select FINISH DEPLOYMENT on primary/admin device to complete the enrollment date transfer.