- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Zero-touch enrollment allows you to quickly and easily enroll a large number of company-owned Android devices. After a device is registered with zero-touch, it automatically enrolls when the device user connects to the Internet and logs in to the KM agent. If you factory reset a device enrolled by zero-touch, the KM agent will automatically reinstall and the device will re-enroll in KM.
Zero-touch enrollment provides the following advantages:
- Enrolls a large number of devices in bulk without having to manually enroll each device.
- Allows a device to automatically install the KM agent after a factory reset.
- Prevents an unauthorized device from joining your EMM environment.
- Allows resellers to add devices to your zero-touch enrollment account.
For devices running Android 11 and higher, KM now supports a new device provisioning method that lets the device user choose the device's mode, depending upon whether the device is for work use only or a mix of work and personal use.
To enroll devices using zero-touch enrollment, complete the following steps.
Before you use zero-touch enrollment
To use zero-touch enrollment properly, you should:
- Make sure that the devices are compatible with zero-touch enrollment. All devices running Android 9 and higher support zero-touch. For devices running earlier versions of Android, you should verify their compatibility by checking with your zero-touch reseller or device manufacturer.
- Prepare a device from a zero-touch reseller partner.
- Sign up for an enterprise Google account. A personal Gmail account cannot be used. To create a Google account for enterprise use, go to Create your Google account.
- Link your zero-touch account to KM to speed up registration.
- Before enrolling a device in Fully Managed mode, make sure it is running Android 5 and higher. For more information about Android Enterprise, see the Android home page.
Link your zero-touch account to KM
To link your zero-touch account to your KM tenant:
Normally, you would perform all zero-touch-related tasks on the Google admin portal. To provide a more productive and smoother experience, KM allows you to link your zero-touch account with your KM tenant, which lets you perform several tasks from the KM console:
- View account details at a glance
- Add more or remove zero-touch accounts
- Navigate directly to the zero-touch device list
To link your zero-touch account with KM:
- On the KM console, go to Device Enrollment > Zero-Touch.
- Under Link your zero-touch account to your EMM provider, click Next.
- Select one or more zero-touch accounts associated with the Google account to link, then click Link.
- Click Next on the confirmation screen.
Log in to the zero-touch enrollment portal
On the KM console
After your zero-touch account is linked to KM, you can log in and manage the account through the KM console.
To log in the zero-touch enrollment portal on the KM console:
- On the KM console, go to Device Enrollment > Zero-Touch.
- Submit your enterprise Google account credentials.
After you log in to your enterprise Google account on KM, you can view the account details, add or remove zero-touch accounts, and follow the link to view the registered zero-touch devices. If you need to perform other tasks, you should access your zero-touch settings from the Google admin console.
On the Google admin console
To log in to the zero-touch enrollment portal on the Google admin console:
- Go to the zero-touch enrollment portal.
- Submit your enterprise Google account credentials.
After you log in to the zero-touch enrollment portal, the following pages are available:
- Configurations — Create, modify, and delete KM configurations.
- Devices — Displays the registered device list. You can assign and apply the KM configurations to the selected devices on the list.
- Users — Add, modify, and delete users who can access and manage the portal.
- Resellers — Add resellers to share your account with multiple resellers.
Create a KM configuration
To create a KM configuration:
- On the zero-touch enrollment portal, go to Configurations.
- Click
. The Add a new configuration window opens. - Fill the fields:
- Configuration name — Enter a configuration name.
- EMM DPC — Select Samsung Knox Manage from the EMM DPC dropdown list.
DPC extras — Configure the extra settings for the device policy controller.
The following sample configuration contains the three minimum required fields:
{ "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "ServerUrl": "Your Server Url", "TenantId": "Your Knox Manage Tenant ID", "Method": "ZeroTouch" } }Optionally, you can include the UserID and Password fields to enroll all devices with a shared user ID and password, and the Mode field to enforce fully managed (DO) or work profile (PO) mode on company-owned devices. This sample configuration demonstrates these extra fields:
{ "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "ServerUrl": "Your Server Url", "TenantId": "Your Knox Manage Tenant ID", "Method": "ZeroTouch", "UserID": "Enrollment User ID", "Password": "Password for the Enrollment User ID", "Mode": "DO" } }For work profile deployments, replace "DO" with "PO".
The ServerURL of your applicable region is as follows:
Region Domain Asia https://ap01.manage.samsungknox.com/emm Asia (India only) https://ap02.manage.samsungknox.com/emm US https://us01.manage.samsungknox.com/emm EU https://eu01.manage.samsungknox.com/emm - Company Name — Enter the name of your enterprise. It will display on the user's device during enrollment.
- Support email address — Enter your enterprise IT admin email address. This address is shown on the user's device during enrollment, and it can be used to contact your IT admin in case of any enrollment issues.
- Support phone number — Enter your enterprise IT support phone number. This number is shown on the user's device during enrollment, and it can be used to contact your IT admin in case of any enrollment issues.
- Custom message (optional) — Enter a message to show on the device screen during enrollment.
- Click Add to create the new KM configuration.
Assign a KM configuration to zero-touch devices
After zero-touch reseller partners have registered devices in the zero-touch enrollment portal, you can assign the newly created KM configurations to the devices either individually or in bulk with a CSV file.
Individual assignment
To assign a KM configuration to a device individually:
- On the zero-touch enrollment portal, go to Devices.
- Select the devices to which configurations are to be applied to on the device list, and then, under Configuration, select a KM configuration.
Bulk assignment
To assign a KM configuration to multiple devices at once:
- On the zero-touch enrollment portal, go to Devices.
- Click
> Download results as .csv and save it to your local file system. - Open the CSV file with a text editor and fill the following fields:
Field Example value Description modemtype IMEI This field should be always set to IMEI in uppercase letters. modemid 123456789012347 Enter the IMEI number of the device. serial ABcd1235678 Enter the serial number of the device. model VM1A Enter the model name of the device. manufacturer Google Enter the name of the device manufacturer. Profiletype ZERO_TOUCH This field should always be set as ZERO_TOUCH in uppercase letters. Profileid 54321 Enter the ID of the KM configuration you want to apply to the device. To view the configuration's ID, check the ID column on the Configurations page. To remove the device from zero-touch enrollment, enter 0. - Go to the Devices page, then click > Upload batch configurations. A file dialog opens. Select the modified CSV file.
The devices in the CSV file are assigned to the chosen KM configuration.
Enroll a zero-touch device
After the KM configuration is assigned to a zero-touch device, in order to enroll it you must first install KM and sign in with a KM account.
To enroll a zero-touch device:
- Ensure the device is factory reset.
- Turn on the device, and then tap Start on the welcome screen.
- On the Connect to mobile network screen, insert a sim card or tap Skip.
- Tap an available Wi-Fi network to connect to it. The device checks for updates.
- On the Set up your device screen, read the privacy policy of KM and Google, and then tap Accept & continue. The device contacts the KM server.
- On the Google Services screen, tap Accept. The KM agent installs and launches.
- On the Sign in with your Samsung Knox Manage Account screen, enter a KM user ID and password, and then tap SIGN IN.
- On the KM terms and agreements screen, read the terms of use, privacy policy, and end-user license agreement, tap the check box next to Agree all, and then tap NEXT.
- On the Display over other apps page, if required, tap All display over other.
The device is registered and enrolled in KM.
Delete devices from the zero-touch enrollment portal
If you need to transfer ownership of a device, you can delete devices one at a time from the zero-touch enrollment portal.
To delete a device from the zero-touch enrollment portal:
- On the zero-touch enrollment portal, go to Devices.
- On the Devices page, select the device you want to remove, and then click DEREGISTER.
- In the Deregister device? window, click DEREGISTER to delete the devices from the zero-touch enrollment portal.
After you delete a device, if you want to re-register it to the zero-touch enrollment portal, you must contact your reseller. If you need to temporarily exclude a device from the zero-touch enrollment portal, consider removing its KM configuration.
