Menu

Use Samsung Knox Mobile Enrollment (KME)

Samsung Knox Mobile Enrollment (KME) allows you to quickly and easily enroll a large number of corporate-owned Samsung devices. The devices are automatically enrolled when users connect to the internet and log in to Knox Manage. Even if you reset the devices enrolled by the KME program, the Knox Manage application is re-installed automatically and the devices are re-enrolled in to Knox Manage.

The KME program provides the following advantages:

  • Enroll a large number of devices in bulk without having to manually enroll each device.

  • Allow the KME devices to automatically install the Knox Manage application when the KME devices are reset.

To enroll devices using the KME program, the following procedures must be performed:

NOTE— For more information about the KME program, refer to the KME Admin Guide.

Before using Knox Mobile Enrollment

To use Knox Mobile Enrollment (KME) properly, the followings must be prepared:

  • See the list of available countries at the Samsung Knox website and check if the KME program is available in your country.
  • Prepare a device from the following carrier or reseller to use the KME program:
    • A distributor approved by the KME program

    • A dealer sharing IMEI or serial numbers directly with the Samsung representative

  • Make sure the devices are Samsung Galaxy devices with Knox 2.4 or higher.

  • Sign up for an account in the Samsung Knox Web Portal.

  • To install Knox Manage, devices must have more than 50% of their battery charged.

  • Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.

Logging in to the Knox Mobile Enrollment Portal

To use Knox Mobile Enrollment (KME), you should log in to the Knox Mobile Enrollment Portal.

To log in to the Knox Mobile Enrollment Portal, complete the following steps:

  1. Visit the Knox Portal at https://www.samsungknox.com, and click Sign in in the upper right-corner of the screen.
  2. Enter a Samsung account ID and password, and then click SIGN IN.
  3. If your dashboard does not appear, click Dashboard on the upper-right corner of the page.
  4. In the Knox Mobile Enrollment card, click TRY FOR FREE.
  5. Follow the prompts and submit your application. If your application is approved, you will receive a welcome email with instructions on using Knox Mobile Enrollment (KME).
  6. In your dashboard, in the Knox Mobile Enrollment card, click LAUNCH.

Creating MDM profiles

Before enrolling devices, create MDM profiles for Android (Legacy) and Android Enterprise through the Knox Mobile Enrollment Portal.

Knox Manage supports two types of KME enrollments for MDM profiles: Android (Legacy) and Android Enterprise:

Profile type Targeted device Description
Device Admin Android Legacy Create this profile for the legacy method of managing devices.
Device Owner Android Enterprise Create this profile for fully managed or dedicated devices.

Creating MDM profiles for Android Legacy devices

To create MDM profiles for the Device Admin profile type, complete the following steps:

  1. On the Knox Mobile Enrollment Portal, navigate to MDM Profiles.

  2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.

  3. On the “Select profile type” page, click DEVICE ADMIN.

  4. On the “Device Admin profile details” page, enter the following basic information
    • Profile Name: Enter an appropriate profile name to distinguish it from others with similar attributes. Special characters are not permitted.

    • Description: Enter a profile description (200 characters maximum) to further differentiate this profile from others.

    • MDM Server URI: Enter the Knox Manage server for the relevant regions as stated in the following table:

      RegionDomain
      Asia https://ap01.manage.samsungknox.com
      UShttps://us01.manage.samsungknox.com
      EUhttps://eu01.manage.samsungknox.com

      Depending on the tenant, you may have to change the domain URI. Refer to your prefix server address of the Knox Manage Admin Portal, and then enter that value in the MDM Server URI. For example, if your server address is https://ap02.manage.samsungknox.com/emm/admin/login.do, your MDM Server URI should be https://ap02.manage.samsungknox.com.

      NOTE— Once you have created an MDM profile, you cannot change the MDM server URI.

    • Server URI is not required for my MDM: Select this option if you either do not need to point to the MDM’s enterprise installation or are unable due to connection restraints.

  5. Click CONTINUE.

  6. On the “Device Admin profile settings” page, set the following MDM configuration settings.

  7. Set the following device settings.

    • Enrollment settings: Select the additional enrollment setting options.

      NOTE— The Skip Setup Wizard option performs independently from the Allow end user to cancel enrollment, and both options can be enabled at the same time.

      • Skip Setup Wizard: Skips the setup wizard screen and allows you to start the enrollment process much faster.

        NOTE— This option is not currently available on all AT&T devices.

      • Allow the end user to cancel enrollment: Permits end-users to cancel enrollment on their devices.

    • Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the specific privacy policy text displayed to device users based on their geographic region.

    • ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.

    • Support contact details: View the support contact details.

    • EDIT: Update the company name, company address, support phone number, and support email address displayed on the devices after successful enrollment. If required, click Save as default support contact details to use this same information as the default contact information.

      NOTE— If the device owner (DO) support is enabled for the profile, then only the client name is editable, and the remaining fields are inactive.

    • Associate a Knox license with this profile: Pass the Knox license key directly to the intended device for easier Knox profile configuration.

  8. Click CREATE to create the device admin supported profile configuration for Android (Legacy). To view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.

Creating MDM profiles for Android Enterprise devices

To create MDM profiles for the Device Owner profile type, complete the following steps:

  1. On the Knox Mobile Enrollment Portal, navigate to MDM Profiles.

  2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.

  3. On the “Select profile type” page, click DEVICE OWNER.

  4. On the “Device Owner profile details” page, enter the following basic information for the device owner profile.

    • Profile Name: Enter an appropriate profile name to distinguish it from others with similar attributes. Special characters are not permitted.

    • Description: Enter a profile description (200 characters maximum) to further differentiate this profile from others.

  5. Enter the following MDM information for the device owner profile.

  6. Click CONTINUE.

  7. On the “Device Owner profile settings” page, set the following MDM configuration settings.

    • Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId and TenantType in Javascript object notation (JSON) format, as in

      {"TenantId":" YOUR_TENANT","TenantType":"M","AllowModifyUserId":"Disallow"}

      TenantId refers to the name of your Knox Manage company account. It occurs after @ in your Knox Manage username. For example:

      {”TenantId”:”knoxteam.samsung.com”, ”TenantType”:”M”,"AllowModifyUserId":"Disallow"}

      For more information about JSON and related technology, go to http://json.org.

    • Dual DAR: Secures the KME enrollment data with two layers of encryption, even when the device is powered off or in an unauthenticated state.

      Note: The Dual DAR function is only supported on devices running Knox version 3.4 or higher.

      • Enable Dual DAR: Enable the Dual DAR function. If the Dual DAR function is enabled, click the checkbox next to Use3rd party crypto app and click ADD PACKAGE NAME AND SIGNATURE to enter the package name and signature for using the 3rd part crypto app.
  8. Set the following devices settings.

    • System apps: Select the system application settings.
      • Disable system applications: Disable all applications to the device owner supported profile.
      • Leave all system applications enabled: Enable all applications on the device owner supported profile. If this option is not selected, only the default applications and the Knox Manage application are installed on the user devices.
    • Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the specific privacy policy text displayed to devices users based on their geographic region.
      • ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.
    • Company name: Enter the MDM organization name displayed at the time of device enrollment.
  9. Click CREATE to create a device owner supported profile configuration for Android Enterprise. To view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.

Modifying MDM profiles

To modify an MDM profile, complete the following steps:

  1. On the Knox Mobile Enrollment Portal, navigate to MDM Profiles.

  2. On the profile list, click the checkbox next to the profile name to modify its information.

  3. Modify the selected profile information, and then click SAVE.

Note: Once you have created an MDM profile, you cannot change the MDM server URI.

Registering devices to the Knox Mobile Enrollment Portal

Depending on the device purchase type, you can register devices to the Knox Mobile Enrollment Portal using the following methods

  • Knox Reseller Portal: For devices purchased from approved Samsung resellers
  • Samsung Knox Deployment App (NFC tagging): For devices purchased from third-party resellers, or for the purpose of testing

For devices purchased from approved Samsung resellers

If the devices were purchased from approved Samsung resellers, you can register the devices to the Knox Mobile Enrollment Portal using the Knox Reseller Portal. For more information on using the Knox Reseller Portal and how to register devices, see the Knox Reseller Portal Admin Guide and follow the instructions.

After the devices are registered successfully, on the Knox Mobile Enrollment Portal, navigate to Devices > UPLOADS to view the registered device information with the reseller’s information including the registration date and the number of devices, IMEI information, and applied profiles.

For devices purchased from third-party resellers

To register devices purchased from third-party resellers or for the purpose of testing to the Knox Mobile Enrollment Portal using the Samsung Knox Deployment app through NFC tagging, complete the following steps:

Note: The user information must be registered in the Knox Mobile Enrollment Portal to register the devices. For more information on how to add device users, see Adding new device users.

  1. Download the “Samsung Knox Deployment” app from the Google Play Store on your device and install it.

  2. Run the “Samsung Knox Deployment” app on your device.

  3. On the login screen, enter your Knox Mobile Enrollment Portal user ID and password, and then tap SIGN IN.

  4. Tap ENROLL VIA NFC.

    Note: The NFC mode on your device must be turned on for NFC tagging.

  5. On the “Get started” screen, tap START.

  6. Select a desired MDM profile to apply, and then tap NEXT.

  7. Tag the user device to your device. To view the information of the registered devices on the Knox Mobile Enrollment Portal, navigate to Devices > UPLOADS.

Assigning MDM profiles and user credentials

After the devices are registered in the Knox Mobile Enrollment Portal, assign the MDM profiles and user credentials to the registered devices. You can assign them to the registered devices either individually or in bulk using a CSV file.

Individual Assignment

To assign MDM profiles and user credential to a registered device individually, complete the following steps:

  1. On the Knox Mobile Enrollment Portal, navigate to Devices.

  2. At the top of the “Devices” page, click the ALL DEVICES tab.

  3. On the device list, click the checkboxes next to IMEI information to assign an MDM profile and user credential to them. Alternately, you can also click the checkboxes next to IMEI information, and then click ACTIONS > Configure devices.

    Note: The device windows appear differently depending on how many devices on the list you select.

  4. On the “Device Details” or “Configure selected devices” window, enter the following device information.

    • “Device Details” window (When configuring a single selected device)
      • MDM Profiles: Select the desired MDM profile from the drop-down list to assign it to the selected device.
      • Tags: Enter a tag to use when searching for specific devices.
      • User ID: Modify the Knox Manage user ID.
      • Password: Modify the Knox Manage user password.
    • “Configure selected devices” window (When configuring two or more selected devices)
      • Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-down list to assign to the selected device.
      • Add tags to selected devices: Enter a tag to use when searching for specific devices. Click the checkbox next to Overwrite existing tags if you want to use the newly entered tag to overwrite existing tags.
      • User credentials: Select one of the following options for the user credentials of devices from the drop-down list.
        • Keep current credentials: Maintain the existing user credential information for the selected devices.
        • Clear user credentials: Remove the existing user credential information for the selected devices.
        • Overwrite user credentials: Modify the user ID and password.
  5. Click SAVE to save the modified device details. The device status changes to Profile assigned. To update the device status, click .

Bulk Assignment

You can assign the MDM profiles and user credentials for up to 10,000 registered devices at once.

To assign MDM profiles and user credential to a registered device individually, complete the following steps:

  1. On the Knox Mobile Enrollment Portal, navigate to Devices.

  2. On the “Devices” page, click ALL DEVICES > ACTIONS > Download devices as CSV at the bottom of the page to download the kme_devices.csv file.

  3. Open the downloaded CSV file and enter the information in the columns of the Excel file, and then save the file as a .csv file.

  4. At the left bottom of the Knox Mobile Enrollment Portal, click BULK ACTIONS.

  5. On the “Bulk actions” page, click View instructions in the BULK CONFIGURE section to read the instructions to ensure the CSV file is completely filled out, and the click GOT IT.

  6. On the “Bulk configure” page, click BROWSE, and then select the saved .csv file.

  7. In the “(Optional) Configure profiles and tags” area, enter the following information.

    • Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-down list to assign it to the selected devices.

    • Tags: Enter a tag to use when searching for specific devices. Click the checkbox next to Overwrite existing tags if you want to use the newly entered tag to overwrite existing tags.

  8. Click SUBMIT. To view the bulk-added information, navigate to Devices > ALL DEVICES.

Adding new device users

You can add a new device user to the list of existing users.

To add a new device user, complete the following steps:

  1. On the Knox Mobile Enrollment Portal, navigate to Device Users.

  2. On the “Device Users” page, click ADD DEVICE USERS to add a new device user.

  3. On the “Add device user” window, enter a user ID and password to create unique KME device user credentials.

    Note: The user ID and password should both be the credentials of the Knox Manage.

  4. Click ADD to add new device user.

Unenrolling KME devices

To disable the use of KME devices, you must unenroll them in the Knox Manage Admin Portal, and then delete them in the Knox Mobile Enrollment Portal. For more information about how to unenroll enrolled devices in the Knox Manage Portal, see Unenrolling devices.

To delete the KME devices, complete the following steps:

  1. On the Knox Mobile Enrollment Portal, navigate to Devices.

  2. On the “Devices” page, click the ALL DEVICES tab.

  3. On the device list, click the checkboxes next to the IMEI information to delete the registered device, click ACTIONS > Delete devices.

  4. In the “Delete devices” window, click DELETE. The selected devices will be deleted from the KME Portal.

    Note: Once a device is deleted from the KME Portal, the device is permanently removed from the system.