Menu

Use Samsung Knox Mobile Enrollment (KME)

Samsung Knox Mobile Enrollment (KME) allows you to quickly and easily enroll a large number of corporate-owned Samsung devices. The devices are automatically enrolled when users connect to the Internet. Even if you reset the devices enrolled by the KME program, the Knox Manage application is re-installed automatically and the devices are re-enrolled in to Knox Manage.

For devices running Android 11, the IT admin can now choose between fully managed and WP-C enrollment types during the provisioning process. The enrollment settings for devices running Android OS 10 or lower remain unchanged.

The KME program provides the following advantages:

  • Enroll a large number of devices in bulk without having to manually enroll each device.

  • Allow the KME devices to automatically install the Knox Manage application when the KME devices are reset.

NOTE—For more information about the KME program, refer to the KME Admin Guide.

Before using Knox Mobile Enrollment

To use Knox Mobile Enrollment (KME) properly, you must first do the following:

  • See the list of available countries at the Samsung Knox website and check if the KME program is available in your country.
  • Prepare a device from one of the following carriers or resellers to use the KME program:
    • A distributor approved by the KME program
    • A dealer sharing IMEI or serial numbers directly with the Samsung representative
  • Ensure the devices are Samsung Galaxy devices running Knox 2.4 or higher.
  • Sign up for a Samsung Knox Account to use for the single sign-on (SSO) account. When using KME from the KM admin console, you need to use your Samsung Account SSO credentials.
  • Ensure that your target devices are either connected to a charger and charging or have more than 50% of battery. You can only install KM on your target devices if there is adequate battery backup on your device.
  • Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or higher. For more information about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.

Logging in to the Knox Mobile Enrollment Portal

Before you can use Knox Mobile Enrollment (KME) from the KM admin console, you need to create a Samsung Knox Account. You need to use these login credentials to connect your KM and KME accounts.

To log in to the Knox Mobile Enrollment Portal from the KM admin portal, complete the following steps:

  1. In the KM admin console, on the left hand navigation menu go to Device Enrollment > Knox Mobile Enrollment. The Samsung Account SSO page opens.
  2. Click Go to Samsung Knox.
  3. Enter your Samsung Account single sign-on credentials and click Sign in. These credentials are the email id and password you used to create your Samsung Account.
  4. The KM admin console opens to show two new menu items—Device and Profile —visible under Knox Mobile Enrollment on the left hand navigation menu.

Creating profiles

Before enrolling devices, you must create profiles for Android Enterprise on the Knox Manage admin console. Any profiles created on this page are synced with the KME portal linked to your Samsung Account.

Knox Manage supports Android Enterprise device profiles only. These profiles allow users to enroll as a Device Owner or Profile Owner.

Creating Android Enterprise profiles

To create profiles for Android Enterprise profile types, complete the following steps:

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Profile.
  2. On the Profile page that opens, in the upper-left corner, click Add.
  3. On the Add profile page that opens, enter the following basic information for the device owner profile.
    • Name—Enter an appropriate profile name to distinguish it from others with similar attributes.
    • Description—Enter a profile description to further differentiate this profile from others.
    • Enrollment Type—Select one of the following three options:
      • User defined
      • Fully managed
      • Work profile
      • NOTE—To force Work Profile enrollment mode on KME console, on the Android Enterprise > Create new profile screen, select the following options: 1. Select Let MDM choose to enroll as a Device Owner or Profile Owner. 2. Set the MDM vendor as Knox Manage. 3. Enter the custom JSON value as
        - Work Profile on company-owned / Work Profile : {Mode : PO}
        - Fully Managed : {Mode : DO}
  4. Select one of the following two options to configure device enrollment:
    • Force Device Owner enrollment—Select this option if you want the device user to enroll their device manually.
    • Let MDM choose to enroll as a Device Owner or Profile Owner—Select this option if you want the MDM to select the type of enrollment for the device. If you want to ensure that the device is enrolled as the Work Profile type, you must select this option.
  5. Pick your MDM—Select your MDM from the list of options. If you want to ensure that the device is enrolled as the Work Profile type, you must select Knox Manage as your MDM.
  6. MDM Agent APK—Enter the APK URL for your MDM Agent. If you want to ensure that the device is enrolled as the Work Profile type, you must enter the Knox Manage APK URL for example: https://s3-ap-southeast-1.amazonaws.com/emminstall-ap/KnoxManageEMMService.apk.
  7. MDM Server URI—Enter the MDM Server's URI that is used for device enrollment. For example: https://eu02.manage.samsungknox.com.
  8. MDM Configuration—Enter the custom JSON Data as defined by your MDM. For example:
    { "TenantId": "test.com", "TenantType": "M" }.

    NOTE—JSON Data and the .csv file data are required for automatic login. The .csv file data must contain a valid userid and password.
  9. Set the following device and user settings.
    • Allow Users to Change Their ID for enrollment—In cases where the IT admin sets up and uses a default username and ID for device enrollment, you can allow users to change their enrollment ID for ease of use.
    • Disable System Applications—In special cases, IT admins can use this option to disable default system applications on the target devices. The default value for this field is set to allow system applications.
  10. Provide the following company related information.
    • Company Name— Enter the organization name displayed at the time of device enrollment.
  11. Enter a valid Legal Agreement document as follows:
    1. In the Legal Agreement area, click Add.
    2. Follow on-screen instructions to add your legal document and return to the Add Profile page.
  12. Click Save to create a supported profile configuration for Android Enterprise. The newly created profile is synced with your KME portal data.

Registering and enrolling devices using KME

KM admin console is integrated with KME, so when you sign in using your Samsung Account SSO your devices are automatically synced to KM. And if your devices meet the prerequisites set out in Before you begin, KM is installed on them.

Assigning profiles to devices and users

Once devices are enrolled in KM, you can assign KME profiles you created earlier to your devices.

Individual Assignment

You can assign profiles to devices in one of two ways:

Assign profiles using the Device menu

To assign profiles and user credentials to a device individually, complete the following steps:

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Device.
  2. On the Device page that opens, click the All devices tab.
  3. In the list of devices on this page, click the check boxes to select the devices to which you want to assign the profiles, and then click Configure. The Configure devices page opens.
  4. On this page, do the following:
    1. In the KME profile list, select the appropriate profile you want to apply.
    2. Next to the User Credentials field, click Select to open a page showing a list of KM users. Select the appropriate user from this page.
    3. Click Save to assign the profile to your target device and return to the All devices page.
  5. The profile is now assigned to your target devices and is applied to the devices when they next connect to the Internet.

Assign profiles using the Profile menu

In addition to the previously described method to assign profiles to devices, KM allows you to assign profiles to devices from the KME profiles page.

To assign profiles to a device from the Profile page, complete the following steps:

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Profile.
  2. On the Profile page that opens, click the check box next to the Profile you want to assign to your devices, and then click Assign. The Assign devices page opens.
  3. In the list of devices on this page, click the check boxes to select the devices to which you want to assign the profile, and then click Save. The profile is now assigned to your target devices and is applied to the devices when they next connect to the Internet.
Unassigning profiles from devices

To unassign a profile from a device, complete the following steps:

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Profile.
  2. On the Profile page that opens, in the Profile Assigned column, click the number of devices assigned to this profile to open the Profile Details page for that profile.
  3. NOTE—If there are no devices assigned to this profile, this column shows 0 devices. In this case, the number of devices (zero) is not clickable.
  4. In the list of devices on this page, click the check boxes to select the devices from which you want to remove the profile, and then click Unassign.
  5. When prompted, click OK to confirm that you want to the profile from the target device. The profile is now unassigned from your target devices and is removed from the devices when they next connect to the Internet.

Modifying KME profiles

IT admins can now modify KME profiles from within the KM admin console. To modify a KME profile from within KM, complete the following steps: 

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Profile.
  2. On the Profile page that opens, click the check box next to the Profile you want to modify, and then click Modify. The Modify Profile page opens.
  3. This page contains all the details you had specified when you created the profile. Make all the necessary changes to this page and then click Save. The changes are saved to the profile in KM and KME. These changes are applied to the device when the device is re-enrolled.

Unenrolling KME devices

To disable the use of KME devices, you must unenroll them from KM and then unenroll them from the KME section in the KM admin portal. For more information about how to unenroll devices from KM, see Unenrolling devices.

After you unenroll devices from KM, follow these steps to delete them from KME: 

  1. In the KM admin portal, on the left hand navigation menu, go to Knox Mobile Enrollment > Device.
  2. On the Devices page, click the ALL DEVICES tab.
  3. In the list of devices on this page, click the check boxes next to the IMEI information to select the appropriate devices, click Delete. The selected devices are removed from KM.
Share it: