- *BASICS*
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- On-Premise
- Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- View applications
- Add applications
- Introduction
- Add internal Android and iOS applications
- Add internal Windows applications
- Add public applications using Google Play Store
- Add public applications using iOS App Store
- Add public applications using Managed Google Play Private
- Add public applications using Managed Google Play Store Private Web
- Add public applications using Microsoft Store
- Add Chrome OS applications
- Assign applications
- Introduction
- Assign internal Android and iOS apps
- Assign iOS App Store applications
- Assign Google Play applications
- Assign Managed Google Play applications
- Assign Managed Google Play Private applications
- Assigned Managed Google Play public web apps
- Assign Windows applications
- Assign Chrome OS applications
- Manage applications
- Volume Purchase Program for iOS
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Introduction
- Accept or reject devices
- Upload devices
- Delete devices
- Complete payment
- Send payment overdue notification
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQs
- KBAs
- Support
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
With Knox Manage, you can enroll devices manually or with a token, QR code, or Zero-touch.
Enrolling general devices (Android Legacy, iOS, and Windows)
For all supported systems, you can enroll a device by sending an installation guide instructing them on how to manually install the KM agent and log in to KM.
Before enrolling devices, admins must create a user account to register enrolled devices to it. For more information on creating user accounts, see Register a single user account.
To enroll a device in general:
- Ask the device user to install the KM agent on the device:
- Send an Email_Agent Installation template to send a QR code by email template. The QR code links to the KM agent. For more information, see Send templates or user notifications to users using email.
- Send a URL or QR code by email or SMS. The URL or QR code is a link to the KM agent. For more information, see Send enrollment guides to users using email and SMS.
- Alternatively, the device user can directly find and install the KM agent on the device's app store.
- The device user then launches the KM agent on the device.
- On the login screen, the device user signs in to KM with a user ID and password. If the login succeeds, the assigned profiles, policies, and apps apply to the device.
In some cases, IT admins may need to enroll specific devices using a manual enrollment method known as Limited Enrollment. For more information on managing devices using the limited enrollment method, see Manage limited enrollment.
Enroll Android Enterprise devices
KM supports the following Android Enterprise managed device types. Each manage type can be enrolled differently depending upon your organization's IT and security needs.
- Fully Managed type — This type allows you to control the entire comopany-owned device using KM. To activate as a Fully Managed type, you must first factory reset the device.
- Fully Managed with a Work Profile type — This type, a combination of the Fully Managed and Work Profile types, allows you to control company-owned devices. You can manage the device's personal area by sending device commands while controlling business apps and data within the separate Work Profile. Users can install and use personal apps on their device's personal area, and, in this case, KM cannot control apps installed in the personal area or their data.
- Company-owned with a Work Profile type — This type, a combination of the Fully Managed and Work Profile types, allows you to control company-owned devices with enhanced privacy protection for the personal area. You can manage the device's personal area by sending device commands while controlling business apps and data within the separate Work Profile. KM cannot control or monitor apps and data in the personal area. This profile type is supported on devices running Android 11 or higher.
- Work Profile type — This type allows you to control personal devices (BYOD). In this case, KM only manages the Work Profile—the work area separated from the personal area—on the device.
IMPORTANT — In order for KM to track the location of Android 11 and higher devices, the device user must grant the KM agent location access. This affects devices with the following deployment types:
- Bring your own device (BYOD) with a Work Profile
- Shared devices with a secondary account
You should inform users with these devices that after device enrollment and installation of the KM agent, they must allow the following access settings:
- Android 11:
- When the KM agent requests location access, the user must select While using this app.
- Then, they must go to Work profile settings >Apps >Knox Manage >App permissions, and set Location to Allow all the time.
- Android 12 and higher:
- When the KM agent requests location access, the user must select Precise and While using this app.
Enroll as the Fully Managed type
Enroll Android devices in the Fully Managed type to control the whole area of the device. You must factory reset the device in advance. Select one of the following methods.
| Method | Supported version |
|---|---|
| Use a token (afw#KnoxManage) | Android 6 and higher |
| Use a QR code sent by email | Android 7 and higher |
Enroll as the Fully Managed with a Work Profile type
Enroll the Android devices as the Fully Managed with a Work Profile type to control the separate work and personal areas. The enrollment methods are the same as those for the Fully Managed type, but this type can be enabled by selecting Fully Managed with a Work Profile option on Add/Modify User. For more information, see Register a single user account. This profile type is supported on devices running Android version 8 to 10.
| Method | Supported version |
|---|---|
| Use a token (afw#KnoxManage) | Android 6 and higher |
| Use a QR code sent by email | Android 7 and higher |
Enroll as the company-owned with a Work Profile type
You can enroll Android 11 and higher devices with the company-owned with a Work Profile type with these methods.
| Method | Supported version |
|---|---|
| Use a token (afw#KnoxManage) | Android 12 and higher |
| Use Android Zero-touch enrollment | Android 11 and higher |
| Use a QR code sent by email | Android 11 and higher |
Enroll as the Work Profile type
To enroll the Android devices as the Work Profile type, provide an installation guide to the users to install the KM agent on the devices. You can either send an installation guide to your users by email or SMS, or users can download the KM agent directly from their public app store.
To enroll an Android device as the Work Profile type:
- On the device screen, tap the installation URL address sent to users by email or SMS to download and install the KM agent on the device.
NOTE — You can also search for the KM agent from the Google Play Store to download and install it on the AE device.
- On the device, launch the KM agent.
- On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to KM.
NOTE — For devices running Android 10 or higher, tap the enrollment notification on the status bar to install the Work Profile manually.
- On the Set up a work profile screen, read the Knox Manage privacy policy, and then tap Agree. The work apps with the briefcase badge icons—for apps managed by KM—show on the device.
Use a token
With this method, the device user enters the token (afw#KnoxManage) to enroll the Android device as Fully Managed, Fully Managed with a Work Profile, or company-owned with a Work Profile. The token replaces the need for user credentials, and also automatically installs and starts the KM agent.
To enroll an Android device with the afw#KnoxManage token:
- Turn on the factory-reset device, and on the device screen, tap Start.
- On the Connect to Wi-Fi screen, select an available Wi-Fi network, and then tap Next.
- On the Agree to Terms and Conditions screen, read the terms and conditions, and then tap the check box next to I have read and agree to all of the above. Then, tap Agree. The device checks for updates and the updated terms and conditions are applied.
- On the Sign in screen, for Email or phone enter afw#KnoxManage, and then tap Next.
- On the Android Enterprise screen, tap Install to download the KM agent on the device. The KM agent is downloaded and launched automatically.
- On the Set up your device screen of the KM agent, read the privacy policy of Knox Manage and Google, and then tap Accept & continue.
- On the How will you use this phone? screen, depending on how the device should be managed, choose either Fully managed device or Work profile on a company-owned device. The KM agent launches automatically.
- On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to KM. Depending on the profiles applied to the device, the device is enrolled as the Fully Managed or Fully Managed with a Work Profile type.
Use a QR code
Use a QR code sent by email to enroll a devices. For more information on sending a QR code, see Sending enrollment guides to users using email and SMS.
To enroll an Android device with a QR code:
- Turn on the factory-reset device, and tap the welcome screen 5 times to begin QR code enrollment. The QR Reader app is downloaded and the device camera launches to scan the QR code automatically.
- Scan the QR code sent by email. The KM URL and tenant information included in the QR code is detected.
- On the Connect to Wi-Fi screen, select an available Wi-Fi network, and then tap Next.
- On the Agree to Terms and Conditions screen, read the terms and conditions, and then tap the check box next to I have read and agree to all of the above. Then, tap Agree. The KM agent launches automatically.
- On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to KM. Depending on the profiles applied to the device, the device is enrolled as the Fully Managed or Fully Managed with a Work Profile type.
