Unenroll devices

You can unenroll the devices registered in the Knox Manage server. The methods for unenrollment differ depending on the device type.

To delete the work profile from Android Enterprise devices or delete Knox Manage from fully-managed devices, push the Unenroll device command to them.

CAUTION — When you unenroll a fully managed device running Android 7 through 8, it factory resets and also erases any removable storage, such as a microSD card.

To restart the device user's session, send the Delete account command, and then ask the user to sign in again.

Unenroll connected devices

To unenroll devices that are connected to the server:

  1. Navigate to Device.
  2. On the Device page, click a check box for a device you want to unenroll.
  3. Click Unenroll.
  4. On the Unenroll Device screen, click OK.

Unenroll disconnected devices

When a device is unable to communicate with the server, you can send an offline unenrollment code to the device. Then, the user can change the device's status manually and unenroll the device.

To unenroll devices that are offline:

  1. Identify which device needs to be unenrolled. You might need to contact the device user directly. Instruct them to launch the Knox Manage agent and to go to Settings > Offline Unenrollment. Their User ID, Device Name, and IMEI/MEID are shown.
  2. Navigate to Device.
  3. On the Device page, select the device.
  4. Click Unenroll.
  5. On the confirmation dialog, click Offline Unenrollment Code.
  6. Click Force Unenroll. A signal is sent to the device to unenroll it.
  7. Instruct the user to enter the offline unenrollment code (from step 5) in the Knox Manage agent's Offline Unenrollment screen. The device unenrolls.

    TIP — You can also find the unenrollment code on the Deleted Devices page. To get the code, go to Device then click Deleted Devices above the device list. In the dialog that opens, search for the appropriate device. You can find the unenrollment code in the list of results.
TIP — As needed, you have the option of further deleting apps installed to the device as it unenrolls. You can do this for all internal apps on Android devices and all apps on iPhones running iOS 11 or later. To configure this behavior, go to Setting > Configuration > Basic Configuration > Device, and then set Delete App upon Unenrollment to Yes.

Unenroll groups of devices

When you need to unenroll devices in bulk, you can send the unenrollment command to entire device groups at once. Keep in mind that device groups and user groups are fundamentally different types, so you can't unenroll user groups in bulk, even if there are devices associated with them.

CAUTION — Accidental use or misuse of this action can have severe consequences on a large number of devices at once. As a precaution, you can only unenroll one group at a time, and the Knox Manage console asks you to confirm your submission twice.

To unenroll all the devices in a group:

  1. Go to Group.
  2. Select a device group.
  3. Make sure that you selected the right device group, then click Unenroll Device. A confirmation dialog opens.
  4. Read the on-screen warning, then select I have read the warnings and agree to proceed with the process.
  5. Click OK to gracefully unenroll the devices or Force Unenroll to push the action through. If you choose the latter option, the console asks you to confirm again.

Allow users to unenroll their devices

If a device is connected to a network and can establish communication with the server, then users can unenroll the devices by uninstalling the agent.

To allow the user to uninstall the agent, complete the following steps:

  1. Go to Setting > Knox Manage Agent Policy.
  2. On the Knox Manage Agent Policy page, click the Default tab. You can also add more agent policy sets by clicking add.
  3. Set the Allow Unenroll Request policy to Allow.
  4. Click Save & Apply.