Back to top
Home / Knox Manage / Configure / Devices /

Unenroll devices

Last updated May 8th, 2024

You can unenroll the devices registered in the Knox Manage server. The methods for unenrollment differ depending on the device type.

To delete the work profile from Android Enterprise devices or delete Knox Manage from fully-managed devices, push the Unenroll device command to them.

When you unenroll Fully Managed or Fully Managed with Work Profile devices, the devices are factory reset. If the devices are running Android 7 to 8.1, any inserted microSD cards are also wiped.

To restart the device user’s session, send the Delete account command, and then ask the user to sign in again.

Unenroll connected devices

To unenroll devices that are connected to the server:

  1. Go to Device on the Knox Manage console.

  2. On the Device page, select the device you want to unenroll.

  3. Click Unenroll.

  4. (Optional) Select Unassign profiles and delete devices from KME to delete the device from Knox Mobile Enrollment (KME) as well.

  5. (Optional) Select Remove Work Profile only (The device will not be factory reset.) to remove installed Knox Manage agents and all management polices from the company-owned device. The work profile is deleted but all other data and settings are left as-is, and the device user can continue using the device.

  6. On the Unenroll screen, click OK to confirm. Alternatively, click Force Unenroll to unenroll the device both from the server and the Knox Manage agent on the device, and factory reset the device.

  • The Force Unenroll button is disabled if you select Remove Work Profile only (The device will not be factory reset.).
  • For information about unenrolling devices from Knox Mobile Enrollment, see Use Samsung Knox Mobile Enrollment (KME).

Unenroll disconnected devices

When a device is unable to communicate with the server, you can send an offline unenrollment code to the device. Then, the user can change the device’s status manually and unenroll the device.

To unenroll devices that are offline:

  1. Identify which device needs to be unenrolled. You might need to contact the device user directly. Instruct them to launch the Knox Manage agent and to go to Settings > Offline Unenrollment. Their User ID, Device Name, and IMEI/MEID are shown.

  2. Go to Device on the Knox Manage console.

  3. On the Device page, select the device.

  4. Click Unenroll.

  5. On the confirmation dialog, click Offline Unenrollment Code.

  6. Click Force Unenroll. A signal is sent to the device to unenroll it.

  7. Instruct the user to enter the offline unenrollment code (from step 5) in the Knox Manage agent’s Offline Unenrollment screen. The device unenrolls.

    You can also find the unenrollment code on the Deleted Devices page. To get the code, go to Device > Deleted Devices. In the dialog that opens, search for the appropriate device. You can find the unenrollment code in the list of results.

Consider the following when unenrolling disconnected devices:

  • You can also delete installed apps from a device as it unenrolls. You can delete all internal apps on Android devices and all apps on iPhones running iOS 11 or later. To configure this, go to Setting > Configuration > Basic Configuration > Device, and set Delete App upon Unenrollment to Yes.

  • On a connected device, the Force Unenroll command functions the same as the Unenroll command.

  • On a disconnected device, the Unenroll and Force Unenroll commands are executed the next time the device connects to the Knox Manage servers, and the device is unenrolled.

  • On a disconnected Windows device, if the device unenrollment is unsuccessful, check and disconnect from all enterprise account connections on the device by going to Start > settings Settings > Accounts > Access work or school.

Unenroll groups of devices

When you need to unenroll devices in bulk, you can send the unenrollment command to entire device groups at once. Keep in mind that device groups and user groups are fundamentally different types, so you can’t unenroll user groups in bulk, even if there are devices associated with them.

Accidental use or misuse of this action can have severe consequences on a large number of devices at once. As a precaution, you can only unenroll one group at a time, and the Knox Manage console asks you to confirm your submission twice.

To unenroll all the devices in a group:

  1. Go to Group.
  2. Select a device group.
  3. Make sure that you selected the right device group, then click Unenroll Device. A confirmation dialog opens.
  4. Read the on-screen warning, then select I have read the warnings and agree to proceed with the process.
  5. Click OK to gracefully unenroll the devices or Force Unenroll to push the action through. If you choose the latter option, the console asks you to confirm again.

Allow users to unenroll their devices

If a device is connected to a network and can establish communication with the server, then users can unenroll the devices by uninstalling the agent.

To allow the user to uninstall the agent, complete the following steps:

  1. Go to Setting > Configuration > Knox Manage Agent Policy.
  2. On the Knox Manage Agent Policy page, click the Default tab. You can also add more agent policy sets by clicking add.
  3. Set the Allow Unenroll Request policy to Allow.
  4. Click Save & Apply.

On this page

Is this page helpful?