- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
MDMs should refer to this topic for guidance on KME account registration prerequisites, tips for creating a MDM profile, and selecting an authentication scheme.
Satisfy the KME account prerequisites
Ensure the following MDM prerequisites are satisfied before enrolling devices with KME:
- Ensure KME is available in your deployment region. KME is available in over 55 countries, including the United States, Canada, and United Kingdom. For more information on supported countries, go to: KME country availability.
- Verify your devices and Knox version support KME. KME is available on all Samsung devices running Knox version 2.4 or above.
- Ensure the necessary firewall and networking access rules are permitted on your network. For information, go to: Firewall exceptions.
- Register for a Samsung account. A Samsung account is necessary to register for KME and manage all Knox entitlements from a single location. For more information, go to: Create your Samsung accounts.
- Once your profile is submitted, Samsung will review of your application and either approve immediately or place your application in a pending review status for follow-up.
Create a KME profile for your MDM
Now that your company is successfully registered, you are ready to start creating your KME profile for your MDM. The Profile setup wizard will guide you through creating your first profile using the information below:
For information about the DO enrollment methods utilized by KME supported MDMs, go to: MDM enrollment methods.
- MDM Server URI — Enter the environment URL for your MDM server and following syntax https://companyname.com. This is the URL devices are directed to go to enroll in their MDM.
- Profile Name — Enter the required profile name for the initial MDM profile being created.
- Description — Optionally provide a description to better describe the new MDM profile.
- Support contact details — Select the EDIT button to update the profile's Company Name, Company Address, Support Phone Number and Support Email Address contact information. Select the Save as default support contact details checkbox to utilize this information as default support contact information.
- MDM Agent APK- Insert the required downloadable link to the MDM. The MDM application(s) will be downloaded and installed on the device when it first connects to a Wi-Fi or active Cellular network.
- Skip Setup Wizard — During a standard out-of-box Samsung device activation, the Setup Wizard displays a series of Google, Samsung, and Carrier prompts that can be optionally skipped. If skipping the Setup Wizard, an IT administrator authorizes KME to skip the wizard's setup screens, thereby shortening the enrollment steps required, and reduced a device's enrollment time. Skipping the setup wizard requires a minimum Knox version 2.7.1 or above.
- Allow End User to cancel enrollment — Selecting this option allows users to cancel KME once an enrollment is in process.
- Custom JSON as defined by MDM — Custom JSON allows a MDM to send specific configurations to the device for enrollment and authentication.
- Privacy Policy, EULAs and Terms of Service — IT admins can show Knox related EULAs (License EULA) together during initial enrollment to reduce the number of pop-ups. In addition to default EULAs, any enterprise and MDM specific EULAs can be added while creating a profile. Select the Samsung Knox Privacy Policy link to review the specific Privacy Policy text displayed to device users based on their geographic region. Click Add legal agreements and enter the Agreement Title and Agreement Text.
- Associate a KNOX License with this Profile — Optionally attach the paid Knox license that was sent to the device during enrollment. Consider speaking with your Samsung Technical representative before using this feature, as it is not required for enrollment.
MDM End user authentication options for KME
Consider your MDM's best user credential validation option from the following supported authentication types:
- Blank Credentials Based Authentication — An IT admin leaves the Username and Password fields blank in KME, requiring the end user to enter both sets of information on their device during enrollment.
- Username Only Authentication — An IT admin supplies a Username to KME, but leaves the password field blank, requiring the end user to enter a password on their device during enrollment.
- SAML Based Authentication — This form of authentication is brokered by an IDP, and is commonly known as Federated authentication.
- OTP (Token) Authentication — An IT admin generates an enrollment token to be used for enrollment. The Username and/or token is entered into KME to authenticate during the device enrollment.
- Staging Device Authentication — Allows an IT admin to establish a single set of credentials that gets pushed to the device for device staging.
