*BASICS*
The Knox Ecosystem
White Paper
- Introduction
  - The Samsung Knox Platform
  - Feature Summary
- Core Platform Security
- Network Security
  - Virtual Private Networks
  - Network Platform Analytics
- Certificate Management
- Device Management
- User Authentication
  - Biometric Authentication
- App and Data Protection
- Appendix
Samsung Knox Portal
Knox Cloud Services
- Sign in with SSO
General Knox Support
Knox Licenses
*FOR IT ADMINS*
Knox Admin Portal
- About
- Introduction
  - Select Knox services
- Release notes
Knox Suite
- Introduction
- How-to videos
- Get started
- Learn more about Knox Suite
- Enterprise Edition devices
- FAQs
- KBAs
Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
  - Before you begin
- Get started with UEMs
- Knox Service Plugin
- Release notes
- Migrate to Android 11
  - Device management modes
  - Prepare Knox for Android 11
- FAQs
- Troubleshoot
  - Get device logs
- KBAs
Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Release notes
- FAQs
- Troubleshoot
  - Get support
- KBAs
- On-Premise
Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- End users: Get started
  - Getting started with Knox Capture
- Features
- Release notes
- FAQs
- Troubleshoot
Knox Asset Intelligence
- Introduction
- How-to videos
- Get started
- Set up reported device data
- Features
- Troubleshoot
  - Device-side errors
  - Portal-side errors
- Release notes
- FAQs
- KBAs
- Knox Finder
Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Monitor
- Kiosk devices
- Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
  - Install an app to devices through an EMM
  - EMM compatibility matrix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
  - Knox E-FOTA Advanced
  - Knox E-FOTA on MDM
Samsung Care+ for Business
- Introduction
- Get started
- Submit claim
- Features
- Release notes
- FAQs
*FOR RESELLERS*
Knox Deployment Program
- Introduction
- Get started
  - Get access to the Reseller Portal
  - Buy from a reseller
- Features
- Release notes
- FAQs
- KBAs
*FOR MANAGED SERVICE PROVIDERS*
Knox MSP Program
- Introduction
- How-to video
- Get started
  - Firewall exceptions
  - Before you begin
- Features
- Release notes
- FAQs
- Glossary

Enroll a single device

With Knox Manage, you can enroll devices manually or with a token, QR code, or Zero-touch.

Enrolling general devices (Android Legacy, iOS, and Windows)

For all supported systems, you can enroll a device by sending an installation guide instructing them on how to manually install the KM agent and log in to KM.

Before enrolling devices, admins must create a user account to register enrolled devices to it. For more information on creating user accounts, see Register a single user account.

To enroll a device in general:

Ask the device user to install the KM agent on the device:
- Send an Email_Agent Installation template to send a QR code by email template. The QR code links to the KM agent. For more information, see Send templates or user notifications to users using email.
- Send a URL or QR code by email or SMS. The URL or QR code is a link to the KM agent. For more information, see Send enrollment guides to users using email and SMS.
- Alternatively, the device user can directly find and install the KM agent on the device's app store.
The device user then launches the KM agent on the device.
On the login screen, the device user signs in to KM with a user ID and password. If the login succeeds, the assigned profiles, policies, and apps apply to the device.

NOTE — For Android Legacy with Knox Workspace devices running Android 10 or higher, tap the enrollment notification on the status bar to install the Knox Workspace manually.

In some cases, IT admins may need to enroll specific devices using a manual enrollment method known as Limited Enrollment. For more information on managing devices using the limited enrollment method, see Manage limited enrollment.

Enrolling Android Enterprise devices

KM supports the following Android Enterprise managed device types. Each manage type can be enrolled differently depending upon your organization's IT and security needs.

Fully Managed type — This type allows you to control the entire comopany-owned device using KM. To activate as a Fully Managed type, you must first factory reset the device.
Fully Managed with a Work Profile type — This type, a combination of the Fully Managed and Work Profile types, allows you to control company-owned devices. You can manage the device's personal area by sending device commands while controlling business apps and data within the separate Work Profile. Users can install and use personal apps on their device's personal area, and, in this case, KM cannot control apps installed in the personal area or their data.
Company-owned with a Work Profile type — This type, a combination of the Fully Managed and Work Profile types, allows you to control company-owned devices with enhanced privacy protection for the personal area. You can manage the device's personal area by sending device commands while controlling business apps and data within the separate Work Profile. KM cannot control or monitor apps and data in the personal area. This profile type is supported on devices running Android 11 or higher.
Work Profile type — This type allows you to control personal devices (BYOD). In this case, KM only manages the Work Profile—the work area separated from the personal area—on the device.

IMPORTANT — In order for KM to track the location of Android 11 and higher devices, the device user must grant the KM agent location access. This affects devices with the following deployment types:

Bring your own device (BYOD) with a Work Profile
Shared devices with a secondary account

You should inform users with these devices that after device enrollment and installation of the KM agent, they must allow the following access settings:

Android 11:
1. When the KM agent requests location access, the user must select While using this app.
2. Then, they must go to Work profile settings >Apps >Knox Manage >App permissions, and set Location to Allow all the time.
Android 12 and higher:
- When the KM agent requests location access, the user must select Precise and While using this app.

Enrolling as the Fully Managed type

Enroll Android devices in the Fully Managed type to control the whole area of the device. You must factory reset the device in advance. Select one of the following methods.

Method	Supported version
Use a token (afw#KnoxManage)	Android 6 and higher
Use a QR code sent by email	Android 7 and higher

Enrolling as the Fully Managed with a Work Profile type

Enroll the Android devices as the Fully Managed with a Work Profile type to control the separate work and personal areas. The enrollment methods are the same as those for the Fully Managed type, but this type can be enabled by selecting Fully Managed with a Work Profile option on Add/Modify User. For more information, see Register a single user account. This profile type is supported on devices running Android version 8 to 10.

NOTE — In cases where a device is enrolling in the Fully Managed with a Work Profile mode over a Wi-Fi network with no cellular data connection, an issue may occur if that device's profile has a Wi-Fi configuration policy. At the point where the device is creating a Work Profile area, it is temporarily disconnected from the Wi-Fi network to use the Wi-Fi network configured in the policy. This temporary disconnection causes the Work Profile creation to fail, and the device remains in Fully Managed mode. The device user must re-enroll the device to resolve the issue.

Method	Supported version
Use a token (afw#KnoxManage)	Android 6 and higher
Use a QR code sent by email	Android 7 and higher

Enrolling as the company-owned with a Work Profile type

You can enroll Android 11 and higher devices with the company-owned with a Work Profile type with these methods.

Method	Supported version
Use a token (afw#KnoxManage)	Android 12 and higher
Use Android Zero-touch enrollment	Android 11 and higher
Use a QR code sent by email	Android 11 and higher

Enrolling as the Work Profile type

To enroll the Android devices as the Work Profile type, provide an installation guide to the users to install the KM agent on the devices. You can either send an installation guide to your users by email or SMS, or users can download the KM agent directly from their public app store.

To enroll an Android device as the Work Profile type:

On the device screen, tap the installation URL address sent to users by email or SMS to download and install the KM agent on the device.
NOTE — You can also search for the KM agent from the Google Play Store to download and install it on the AE device.
On the device, launch the KM agent.
On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to KM.
NOTE — For devices running Android 10 or higher, tap the enrollment notification on the status bar to install the Work Profile manually.
On the Set up a work profile screen, read the Knox Manage privacy policy, and then tap Agree. The work apps with the briefcase badge icons—for apps managed by KM—show on the device.

Use a token

With this method, the device user enters the token (afw#KnoxManage) to enroll the Android device as Fully Managed, Fully Managed with a Work Profile, or company-owned with a Work Profile. The token replaces the need for user credentials, and also automatically installs and starts the KM agent.

To enroll an Android device with the afw#KnoxManage token:

Turn on the factory-reset device, and on the device screen, tap Start.
On the Connect to Wi-Fi screen, select an available Wi-Fi network, and then tap Next.
On the Agree to Terms and Conditions screen, read the terms and conditions, and then tap the check box next to I have read and agree to all of the above. Then, tap Agree. The device checks for updates and the updated terms and conditions are applied.
On the Sign in screen, for Email or phone enter afw#KnoxManage, and then tap Next.
On the Android Enterprise screen, tap Install to download the KM agent on the device. The KM agent is downloaded and launched automatically.
On the Set up your device screen of the KM agent, read the privacy policy of Knox Manage and Google, and then tap Accept & continue.
On the How will you use this phone? screen, depending on how the device should be managed, choose either Fully managed device or Work profile on a company-owned device. The KM agent launches automatically.
On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to KM. Depending on the profiles applied to the device, the device is enrolled as the Fully Managed or Fully Managed with a Work Profile type.

Use a QR code

Use a QR code sent by email to enroll a devices. For more information on sending a QR code, see Sending enrollment guides to users using email and SMS.

To enroll an Android device with a QR code:

Turn on the factory-reset device, and tap the welcome screen 5 times to begin QR code enrollment. The QR Reader app is downloaded and the device camera launches to scan the QR code automatically.
Scan the QR code sent by email. The KM URL and tenant information included in the QR code is detected.
On the Connect to Wi-Fi screen, select an available Wi-Fi network, and then tap Next.
On the Agree to Terms and Conditions screen, read the terms and conditions, and then tap the check box next to I have read and agree to all of the above. Then, tap Agree. The KM agent launches automatically.
On the Sign in with your Samsung Knox Manage Account screen, enter a user ID and password, and then tap Sign In to sign in to KM. Depending on the profiles applied to the device, the device is enrolled as the Fully Managed or Fully Managed with a Work Profile type.

Share it: