*BASICS*
The Knox Ecosystem
White Paper
- Introduction
  - The Samsung Knox Platform
  - Feature Summary
- Core Platform Security
- Network Security
  - Virtual Private Networks
  - Network Platform Analytics
- Certificate Management
- Device Management
- User Authentication
  - Biometric Authentication
- App and Data Protection
- Appendix
Samsung Knox Portal
Knox Cloud Services
- Sign in with Azure AD
General Knox Support
Knox Licenses
*FOR IT ADMINS*
Knox Suite
- Introduction
- How-to videos
- Get started
- Learn more about Knox Suite
- Enterprise Edition devices
- FAQs
- KBAs
Knox Platform for Enterprise
- Introduction
- Before you begin
  - Before you begin
- Get started with UEMs
- Knox Service Plugin
- Release notes
- Migrate to Android 11
  - Device management modes
  - Prepare Knox for Android 11
- FAQs
- Troubleshoot
  - Get device logs
- KBAs
Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Release notes
- FAQs
- Troubleshoot
  - Get support
- KBAs
- On-Premise
Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- End users: Get started
  - Getting started with Knox Capture
- Features
- Release notes
- FAQs
- Troubleshoot
Knox Asset Intelligence
- Introduction
- How-to videos
- Get started
- Set up reported device data
- Features
- Troubleshoot
  - Device-side errors
  - Portal-side errors
- Release notes
- FAQs
- KBAs
Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Monitor
- Kiosk devices
- Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- FAQs
- KBAs
Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
  - Install an app to devices through an EMM
  - EMM compatibility matrix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Legacy Knox E-FOTA products
  - Knox E-FOTA Advanced
  - Knox E-FOTA on MDM
Samsung Care+ for Business
- Introduction
- Get started
- Submit claim
- Features
- Release notes
- FAQs
*FOR RESELLERS*
Knox Deployment Program
- Introduction
- Get started
  - Get access to the Reseller Portal
  - Buy from a reseller
- Features
- Release notes
- FAQs
- KBAs
*FOR MANAGED SERVICE PROVIDERS*
Knox MSP Program
- Introduction
- How-to video
- Get started
- Features
- Release notes
- FAQs
- Glossary

Enroll a single device

Send a Knox Manage application installation guide to users using email or SMS through the Knox Manage admin portal. Also, users can directly download the Knox Manage application and enroll their devices. For Android Enterprise (AE) devices, you can use a token, QR code, or zero-touch to enroll the devices.

Enrolling general devices (Android Legacy, iOS, and Windows)

Send a Knox Manage application installation guide to users using email or SMS through the Knox Manage admin portal. Also, users can directly download Knox Manage application from their public application stores.

NOTE—Before enrolling devices, admins must create a user account to register enrolled devices to it. For more information on creating user accounts, see Register a single user account.

Select one of the following methods to send the Knox Manage application installation guide to users.
- Sending the Email_Agent Installation template to send QR code by email, allowing users to install the Knox Manage application on their devices. For more information, see Send templates or user notifications to users using email.
- Sending the installation URL address or QR code by email or SMS. For more information, see Send enrollment guides to users using email and SMS.
Also, users can directly search for the Knox Manage agent application from their public app store and download it.
Install Knox Manage application by clicking the URL address or scanning the QR code depending on the request methods, and then launch the Knox Manage application on the device.
On the log in screen, enter a user ID and password to sign in to Knox Manage. If you log in to Knox Manage successfully, your selected profiles, policies, and applications are applied to the target device.

NOTE—For Android Legacy with Knox Workspace devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to install the Knox Workspace manually.

In some cases, IT admins may need to enroll specific devices using a manual enrollment method known as Limited Enrollment. For more information on managing devices using the limited enrollment method, see Manage limited enrollment.

Enrolling Android Enterprise (AE) devices

Knox Manage supports the following Android Enterprise (AE) manage types. Each manage type can be enrolled differently depending upon your organization's IT and security needs.

Fully Managed type—This type allows you to control the entire corporate-owned device using Knox Manage. To activate as a Fully Managed type, you must first factory reset the device.
Fully Managed with Work Profile type—This type, a combination of the Fully Managed and Work Profile types, allows you to control corporate owned devices. You can manage the device’s personal area by sending device commands while controlling business applications and data within the separate Work Profile. Users can install and use personal applications on their device’s personal area, and, in this case, Knox Manage cannot control applications installed in the personal area or their data.
Work Profile on Company-owned type—This type, a combination of the Fully Managed and Work Profile types, allows you to control corporate owned devices with more enhanced privacy protection contrary to Fully Managed with Work Profile type. You can manage the device’s personal area by sending device commands while controlling business applications and data within the separate Work Profile. Users can install and use personal applications on their device’s personal area, and, in this case, Knox Manage cannot control applications installed in the personal area or their data. This profile type is supported on devices running Android 11 or higher.
Work Profile type—This type allows you to control personal devices (BYOD). In this case, Knox Manage only manages the Work Profile—which is the work area separated from the personal area—on the device.

Enrolling as the Fully Managed type

Enroll Android Enterprise (AE) devices in the Fully Managed type to control the whole area of the device. You must factory reset the device in advance. Select one of the following methods.

Method

Supported version

Use a token (afw#KnoxManage).

For more information, see Use a token.

Android 6.0 (Marshmallow) or later

Use a QR code sent by Email.

For more information see Use a QR code.

Android 7.0 (Nougat) or later

Use a token

Enter the token (afw#KnoxManage) to enroll the Android Enterprise (AE) devices in the Fully Managed or Fully Manage with Work Profile type. If the token is applied successfully, the Knox Manage app is automatically installed on the device.

To enroll using a token, complete the following steps:

Turn on the factory reset device, and then on the device screen, tap START.
On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.
On the Agree to Terms and Conditions screen, read the terms and conditions, and then tap the check box next to I have read and agree to all of the above. Then, tap Agree. The device checks for updates and the updated terms and conditions are applied.
On the “Sign in” screen, enter “afw#KnoxManage” in the Email or phone field, and then tap Next.
On the Android Enterprise screen, tap Install to download the Knox Manage application on the device. The Knox Manage application is downloaded and launched automatically.
On the Set up your device screen of the Knox Manage agent, read the privacy policy of Knox Manage and Google, and then tap Accept & continue. The Knox Manage application launches automatically.
On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device, the device is enrolled as the Fully Managed or Fully Managed with Work Profile type.

Use a QR code

Use a QR code sent by email to enroll the devices as the Fully Managed or Fully Managed with Work Profile type. For more information on sending a QR code, see Sending enrollment guides to users using email and SMS.

To enroll using a QR code, complete the following steps:

Turn on the factory reset device, and then, on the welcome screen, tap the screen 5 times to launch QR code enrollment. The QR Reader app is downloaded and the device camera launches to scan the QR code automatically.
Scan the QR code sent by email. The Knox Manage URL and tenant information included in the QR code is detected.
On the Connect to Wi-Fi screen, select an available Wi-Fi network, and then tap NEXT.
On the Agree to Terms and Conditions screen, read the terms and conditions, and then tap the check box next to I have read and agree to all of the above. Then, tap Agree. The Knox Manage application launches automatically.
On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device, the device is enrolled as the Fully Managed or Fully Managed with Work Profile type.

Enrolling as the Fully Managed with Work Profile type

NOTE—In cases where a device is enrolling in the Fully Managed with Work Profile mode over a Wi-Fi network with no cellular data connection, an issue may occur if that device's profile has a Wi-Fi configuration policy. At the point where the device is creating a Work Profile area, it is temporarily disconnected from the Wi-Fi network to use the Wi-Fi network configured in the policy. This temporary disconnection causes the Work Profile creation to fail, and the device remains in Fully Managed mode. The device user must re-enroll the device to resolve the issue.

Enroll the Android Enterprise (AE) devices as the Fully Managed with Work Profile type to control the separate work and personal areas. The enrollment methods are the same as those for the Fully Managed type, but this type can be enabled by selecting Fully Managed with Work Profile option on Add/Modify User. For more information, see Register a single user account. This profile type is supported on devices running Android version 8 to 10.

NOTE—Items to consider:

For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to install the Work Profile manually.
KSP policies are not applicable to the Fully Managed with Work Profile type. For devices that are enrolled as the Fully Managed type with KSP policies applied, these policies can remain even after the device type changes to the Fully Managed with Work Profile type. We recommend you remove these devices manually.

Method	Supported version
Use a token (afw#KnoxManage). For more information, see Use a token.	Android 6.0 (Marshmallow) or higher
Use a QR code sent by Email. For more information see Use a QR code.	Android 7.0 (Nougat) or higher

Enrolling as the Work Profile on company-owned type

Enroll the Android Enterprise (AE) devices as the Work Profile on company-owned type to control the separate work and personal areas supported from Android 11. This type is similar to the Fully Managed with Work Profile type but, is enhanced in aspect of privacy protection on personal area. Supported on devices running Android 11 or higher.

NOTE—Starting with Android 11, location permission for the Knox Manage app requires device users to select Allow all the time directly from the Device Settings not from the prompt on the enrollment step.

Method	Supported version
Use Android zero-touch enrollment. For more information see Use Android zero-touch enrollment (Android devices only)	Android 11 or higher
Use a QR code sent by Email. For more information see Use a QR code.	Android 11 or higher

Enrolling as the Work Profile type

To enroll the Android Enterprise (AE) devices as the Work Profile type, provide an installation guide to the users to install the Knox Manage application on the devices. You can either send an installation guide to your users by email or SMS, or users can download the Knox Manage application directly from their public app store.

To enroll AE devices as Work Profile devices, complete the following steps:

On the device screen, tap the installation URL address sent to users by email or SMS to download and install the Knox Manage application on the device.
NOTE—You can also search for the Knox Manage application from the Google Play Store to download and install it on the AE device.
On the device, launch the Knox Manage application.
On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap SIGN IN to sign in to Knox Manage.
NOTE—For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to install the Work Profile manually.
On the Set up a work profile screen, read the Knox Manage privacy policy, and then tap Agree. The work applications with the briefcase badge icons—for applications managed by Knox Manage—show on the device.

Share it: