Menu

Use Samsung Knox Mobile Enrollment (KME)

Samsung Knox Mobile Enrollment (KME) allows you to quickly and easily enroll a large number of corporate-owned Samsung devices. The devices are automatically enrolled when users connect to the Internet. Even if you reset the devices enrolled by the KME program, the Knox Manage application is re-installed automatically and the devices are re-enrolled in to Knox Manage.

For devices running Android 11, KM now supports a new device provisioning method that lets the device user choose the device's mode, depending upon whether the device is for Work use only or work and personal use.

NOTE—KM still supports all the older provisioning methods that were available until the Android 10 release.

The KME program provides the following advantages:

  • Enroll a large number of devices in bulk without having to manually enroll each device.

  • Allow the KME devices to automatically install the Knox Manage application when the KME devices are reset.

NOTE—For more information about the KME program, refer to the KME Admin Guide.

Before using Knox Mobile Enrollment

To use Knox Mobile Enrollment (KME) properly, you must first do the following:

  • See the list of available countries at the Samsung Knox website and check if the KME program is available in your country.
  • Prepare a device from one of the following carriers or resellers to use the KME program:
    • A distributor approved by the KME program
    • A dealer sharing IMEI or serial numbers directly with the Samsung representative
  • Ensure the devices are Samsung Galaxy devices running Knox 2.4 or higher.
  • Sign up for a Samsung Knox Account to use for the single sign-on (SSO) account. When using KME from the KM admin console, you need to use your Samsung Account SSO credentials.
  • Ensure that your target devices are either connected to a charger and charging or have more than 50% of battery. You can only install KM on your target devices if there is adequate battery backup on your device.
  • Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or higher. For more information about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.

Logging in to the Knox Mobile Enrollment Portal

Before you can use Knox Mobile Enrollment (KME) from the KM admin console, you need to create a Samsung Knox Account. You need to use these login credentials to connect your KM and KME accounts.

To log in to the Knox Mobile Enrollment Portal from the KM admin portal, do as follows:

  1. In the KM admin console, on the left hand navigation menu go to Device Enrollment > Knox Mobile Enrollment. The Samsung Account SSO page opens.
  2. Click Go to Samsung Knox.
  3. Enter your Samsung Account single sign-on credentials and click Sign in. These credentials are the email id and password you used to create your Samsung Account.
  4. The KM admin console opens to show two new menu items—Device and Profile —visible under Knox Mobile Enrollment on the left hand navigation menu.

Creating MDM profiles

Before enrolling devices, you must create MDM profiles for Android Enterprise on the Knox Manage admin console. Any profiles created on this page are synced with the KME portal linked to your Samsung Account.

Knox Manage supports Android Enterprise device profiles only. These profiles allow users to enroll as a Device Owner or Profile Owner.

Creating Android Enterprise MDM profiles

To create MDM profiles for Android Enterprise profile types, do as follows:

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Profile.
  2. On the Profile page that opens, in the upper-left corner, click Add.
  3. On the Add profile page that opens, enter the following basic information for the device owner profile.
    • Name—Enter an appropriate profile name to distinguish it from others with similar attributes.
    • Description—Enter a profile description to further differentiate this profile from others.
  4. Set the following device and user settings.
    • Allow Users to Change Their ID for enrollment—In cases where the IT admin sets up and uses a default username and ID for device enrollment, you can allow users to change their enrollment ID for ease of use.
    • Disable System Applications—In special cases, IT admins can use this option to disable default system applications on the target devices. The default value for this field is set to allow system applications.
  5. Provide the following company related information.
    • Company Name— Enter the MDM organization name displayed at the time of device enrollment.
  6. Enter a valid Legal Agreement document as follows:
    1. In the Legal Agreement area, click Add.
    2. Follow on-screen instructions to add your legal document and return to the Add Profile page.
  7. Click Save to create a supported profile configuration for Android Enterprise. The newly created profile is synced with your KME portal data.

Registering and enrolling devices using KME

KM admin console is integrated with KME, so when you sign in using your Samsung Account SSO your devices are automatically synced to KM. And if your devices meet the prerequisites set out in Before you begin, KM is installed on them.

Assigning profiles to devices and users

Once devices are enrolled in KM, you can assign KME profiles you created earlier to your devices.

Individual Assignment

You can assign profiles to devices in one of two ways:

Assign profiles using the Device menu

To assign MDM profiles and user credentials to a device individually, do as follows:

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Device.
  2. On the Device page that opens, click the All devices tab.
  3. In the list of devices on this page, click the checkboxes to select the the devices to which you want to assign the MDM profiles, and then click Configure. The Configure devices page opens.
  4. On this page, do the following:
    1. In the KME profile list, select the appropriate profile you want to apply.
    2. Next to the User Credentials field, click Select to open a page showing a list of KM users. Select the appropriate user from this page.
    3. Click Save to assign the profile to your target device and return to the All devices page.
  5. The profile is now assigned to your target devices and is applied to the devices when they next connect to the Internet.

Assign profiles using the Profile menu

In addition to the previously described method to assign profiles to devices, KM allows you to assign profiles to devices from the KME profiles page.

To assign MDM profiles to a device from the Profile page, do as follows:

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Profile.
  2. On the Profile page that opens, click the checkbox next to the Profile you want to assign to your devices, and then click Assign. The Assign devices page opens.
  3. In the list of devices on this page, click the checkboxes to select the devices to which you want to assign the MDM profile, and then click Save. The profile is now assigned to your target devices and is applied to the devices when they next connect to the Internet.
Unassigning profiles from devices

To unassign an MDM profile from a device, do as follows:

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Profile.
  2. On the Profile page that opens, in the Profile Assigned column, click the number of devices assigned to this profile to open the Profile Details page for that profile.
  3. NOTE—If there are no devices assigned to this profile, this column shows 0 devices. In this case, the number of devices (zero) is not clickable.
  4. In the list of devices on this page, click the checkboxes to select the devices from which you want to remove the MDM profile, and then click Unassign.
  5. When prompted, click OK to confirm that you want to the profile from the target device. The profile is now unassigned from your target devices and is removed from the devices when they next connect to the Internet.

Unenrolling KME devices

To disable the use of KME devices, you must unenroll them from KM and then unenroll them from the KME section in the KM admin portal. For more information about how to unenroll devices from KM, see Unenrolling devices.

After you unenroll devices from KM, follow these steps to delete them from KME: 

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Device.
  2. On the Devices page, click the ALL DEVICES tab.
  3. In the list of devices on this page, click the checkboxes next to the IMEI information to select the appropriate devices, click Delete. The selected devices are removed from KM.
Share it: