Back to top

Enroll a single device

Last updated June 26th, 2024

With Knox Manage, you can enroll devices manually or with a token, QR code, or Zero-touch.

Enrolling general devices (Android Legacy, iOS, and Windows)

With 23.03, Knox Manage no longer supports the Android Legacy (also known as Device Admin ) platform. The Knox Manage team strongly recommends that you migrate to the Android Enterprise platform.

For all supported systems, you can enroll a device by sending an installation guide instructing them on how to manually install the Knox Manage agent and sign in to Knox Manage.

Before enrolling devices, admins must create a user account to register enrolled devices to it. For more information on creating user accounts, see Register a single user account.

To enroll a device in general:

  1. Ask the device user to install the Knox Manage agent on the device:

  2. The device user then launches the Knox Manage agent on the device.

  3. On the login screen, the device user signs in to Knox Manage with a user ID and password. If the login succeeds, the assigned profiles, policies, and apps apply to the device.

For Android Legacy with Knox Workspace devices running Android 10 or higher, tap the enrollment notification on the status bar to install the Knox Workspace manually.

In some cases, IT admins may need to enroll specific devices using a manual enrollment method known as Limited Enrollment. For more information on managing devices using the limited enrollment method, see Manage limited enrollment.

Enroll Android Enterprise devices

Knox Manage supports the following Android Enterprise managed device types. Each manage type can be enrolled differently depending upon your organization’s IT and security needs.

Android Enterprise device enrollment types

  • Fully Managed type — This type allows you to control the entire company-owned device using Knox Manage. To activate as a Fully Managed type, you must first factory reset the device.

  • Fully Managed with a Work Profile type — This type, a combination of the Fully Managed and Work Profile types, allows you to control company-owned devices. You can manage the device’s personal area by sending device commands while controlling business apps and data within the separate Work Profile. Users can install and use personal apps on their device’s personal area, and, in this case, Knox Manage cannot control apps installed in the personal area or their data.

  • Company-owned with a Work Profile type — This type, a combination of the Fully Managed and Work Profile types, allows you to control company-owned devices with enhanced privacy protection for the personal area. You can manage the device’s personal area by sending device commands while controlling business apps and data within the separate Work Profile. Knox Manage cannot control or monitor apps and data in the personal area. This profile type is supported on devices running Android 11 or higher.

  • Work Profile type — This type allows you to control personal devices (BYOD). In this case, Knox Manage only manages the Work Profile—the work area separated from the personal area—on the device.

In order for Knox Manage to track the location of Android 11 and higher devices, the device user must grant the Knox Manage agent location access. This affects devices with the following deployment types:

  • Bring your own device (BYOD) with a Work Profile
  • Shared devices with a secondary account

You should inform users with these devices that after device enrollment and installation of the Knox Manage agent, they must allow the following access settings:

  • Android 11:
    1. When the Knox Manage agent requests location access, the user must select While using this app.
    2. Then, they must go to Work profile settings > Apps > Knox Manage > App permissions, and set Location to Allow all the time.
  • Android 12 and higher:
    • When the Knox Manage agent requests location access, the user must select Precise and While using this app.

Enroll as the Fully Managed type

Enroll Android devices in the Fully Managed type to control the whole area of the device. You must factory reset the device in advance. Select one of the following methods.

Method Supported version
Use a token (afw#KnoxManage) Android 12 and higher
Use Android Zero-touch enrollment Android 11 and higher
Use a QR code sent by email Android 11 and higher
Use Knox Mobile Enrollment

Android 8 to 10 (Android Legacy)

Android 8 and higher (Android Enterprise)

Enroll as the Fully Managed with a Work Profile type

Enroll the Android devices as the Fully Managed with a Work Profile type to control the separate work and personal areas. The enrollment methods are the same as those for the Fully Managed type, but this type can be enabled by selecting Fully Managed with a Work Profile option on Add/Modify User. For more information, see Register a single user account. This profile type is supported on devices running Android version 8 to 10.

In cases where a device is enrolling in the Fully Managed with a Work Profile mode over a Wi-Fi network with no cellular data connection, an issue may occur if that device’s profile has a Wi-Fi configuration policy. At the point where the device is creating a Work Profile area, it is temporarily disconnected from the Wi-Fi network to use the Wi-Fi network configured in the policy. This temporary disconnection causes the Work Profile creation to fail, and the device remains in Fully Managed mode. The device user must re-enroll the device to resolve the issue.

Method Supported version
Use a token (afw#KnoxManage) Android 6 and higher
Use a QR code sent by email Android 7 and higher
Use Knox Mobile Enrollment

Android 8 to 10 (Android Legacy)

Android 8 and higher (Android Enterprise)

Enroll as the company-owned with a Work Profile type

You can enroll Android 11 and higher devices with the company-owned with a Work Profile type with these methods.

Method Supported version
Use a token (afw#KnoxManage) Android 12 and higher
Use Android Zero-touch enrollment Android 11 and higher
Use a QR code sent by email Android 11 and higher
Use Knox Mobile Enrollment

Android 8 to 10 (Android Legacy)

Android 8 and higher (Android Enterprise)

Enroll as the Work Profile type

To enroll the Android device with a work profile, provide an installation guide to the users to install the Knox Manage agent on the devices. You can either send an installation guide to your users by email or SMS, or users can download the Knox Manage agent directly from their public app store.

When devices running Android 13 and higher are activated, the Knox Manage agent on the personal profiles of devices is automatically disabled and hidden on the screen. If required, device users can choose to manually uninstall the Knox Manage agent from their personal profiles by navigating to Setting > Apps > Knox Manage > Uninstall. To re-install and re-enroll the Knox Manage agent on the personal profile, enable Samsung Knox Manage in Google Play Store, or re-install it from Google Play Store.

Due to progressive privacy improvements in Android 13, after an Android 13 device is enrolled with a work profile, the Knox Manage agent requires permission from the device user to display notifications in the personal profile.

To enroll an Android device as the Work Profile type:

  1. On the device screen, tap the installation URL address sent to users by email or SMS to download and install the Knox Manage agent on the device.

    You can also search for the Knox Manage agent from the Google Play Store to download and install it on the AE device.

  2. On the device, launch the Knox Manage agent.

  3. On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to Knox Manage.

    For devices running Android 10 or higher, tap the enrollment notification on the status bar to install the Work Profile manually.

  4. On the Set up a work profile screen, read the Knox Manage privacy policy, and then tap Agree. The work apps with the briefcase badge icons — for apps managed by Knox Manage — show on the device.

Use a token

With this method, the device user enters the token (afw#KnoxManage) to enroll the Android device as Fully Managed, Fully Managed with a Work Profile, or company-owned with a Work Profile. The token replaces the need for user credentials, and also automatically installs and starts the Knox Manage agent.

To enroll an Android device with the afw#KnoxManage token:

  1. Turn on the factory-reset device, and on the device screen, tap Start.
  2. On the Connect to Wi-Fi screen, select an available Wi-Fi network, and then tap Next.
  3. On the Agree to Terms and Conditions screen, read the terms and conditions, and then tap the check box next to I have read and agree to all of the above. Then, tap Agree. The device checks for updates and the updated terms and conditions are applied.
  4. On the Sign in screen, for Email or phone enter afw#KnoxManage, and then tap Next.
  5. On the Android Enterprise screen, tap Install to download the Knox Manage agent on the device. The Knox Manage agent is downloaded and launched automatically.
  6. On the Set up your device screen of the Knox Manage agent, read the privacy policy of Knox Manage and Google, and then tap Accept & continue.
  7. On the How will you use this phone? screen, depending on how the device should be managed, choose either Fully managed device or Work profile on a company-owned device. The Knox Manage agent launches automatically.
  8. On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to Knox Manage. Depending on the profiles applied to the device, the device is enrolled as the Fully Managed or Fully Managed with a Work Profile type.

Use a QR code

Use a QR code sent by email to enroll a devices. For more information on sending a QR code, see Sending enrollment guides to users using email and SMS.

To enroll an Android device with a QR code:

  1. Turn on the factory-reset device, and tap the welcome screen 5 times to begin QR code enrollment. The QR Reader app is downloaded and the device camera launches to scan the QR code automatically.
  2. Scan the QR code sent by email. The Knox Manage URL and tenant information included in the QR code is detected.
  3. On the Connect to Wi-Fi screen, select an available Wi-Fi network, and then tap Next.
  4. On the Agree to Terms and Conditions screen, read the terms and conditions, and then tap the check box next to I have read and agree to all of the above. Then, tap Agree. The Knox Manage agent launches automatically.
  5. On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to Knox Manage. Depending on the profiles applied to the device, the device is enrolled as the Fully Managed or Fully Managed with a Work Profile type.

Configure Google account

After a device is enrolled, device users must configure a Google account on the device to be able to access Google services such as Managed Google Play. They can use their personal or enterprise email ID to configure the Google account on a device.

On fully managed devices and company-owned devices with a work profile that run Android 9 and higher, device users are shown a notification to set up the Google account. Their enterprise email ID is automatically populated on the Google sign in screen on the device. As email IDs are not case sensitive, any uppercase letters are automatically transformed to lowercase.

Even if com.google is blocklisted under the Account Modification > Account Blocklist policy in the Knox Manage console, device users are allowed to configure a Google account on the device.

Is this page helpful?