Create a profile for an MDM

MDMs should refer to this topic for guidance on KME account registration prerequisites, tips for creating a MDM profile, and selecting an authentication scheme.

Satisfy the KME account prerequisites

Ensure the following MDM prerequisites are satisfied before enrolling devices with KME:

  1. Ensure KME is available in your deployment region. KME is available in over 55 countries, including the United States, Canada, and United Kingdom. For more information on supported countries, go to: KME country availability.
  2. Verify your devices and Knox version support KME. KME is available on all Samsung devices running Knox version 2.4 or above.
  3. Ensure the necessary firewall and networking access rules are permitted on your network. For information, go to: Firewall exceptions.
  4. Register for a Samsung account. A Samsung account is necessary to register for KME and manage all Knox entitlements from a single location. For more information, go to: Create your Samsung accounts.
  5. Once your profile is submitted, Samsung will review of your application and either approve immediately or place your application in a pending review status for follow-up.

Create a KME profile for your MDM

Now that your company is successfully registered, you are ready to start creating your KME profile for your MDM. The Profile setup wizard will guide you through creating your first profile using the information below:

For information about the DO enrollment methods utilized by KME supported MDMs, go to: MDM enrollment methods.

  • MDM Server URI — Enter the environment URL for your MDM server and following syntax This is the URL devices are directed to go to enroll in their MDM.
  • Profile Name — Enter the required profile name for the initial MDM profile being created.
  • Description — Optionally provide a description to better describe the new MDM profile.
  • Support contact details — Select the EDIT button to update the profile's Company Name, Company Address, Support Phone Number and Support Email Address contact information. Select the Save as default support contact details checkbox to utilize this information as default support contact information.
  • MDM Agent APK- Insert the required downloadable link to the MDM. The MDM application(s) will be downloaded and installed on the device when it first connects to a Wi-Fi or active Cellular network.
  • Skip Setup Wizard — During a standard out-of-box Samsung device activation, the Setup Wizard displays a series of Google, Samsung, and Carrier prompts that can be optionally skipped. If skipping the Setup Wizard, an IT administrator authorizes KME to skip the wizard's setup screens, thereby shortening the enrollment steps required, and reduced a device's enrollment time. Skipping the setup wizard requires a minimum Knox version 2.7.1 or above.
  • Allow End User to cancel enrollment — Selecting this option allows users to cancel KME once an enrollment is in process.
  • Custom JSON as defined by MDM — Custom JSON allows a MDM to send specific configurations to the device for enrollment and authentication.
  • Privacy Policy, EULAs and Terms of Service — IT admins can show Knox related EULAs (License EULA) together during initial enrollment to reduce the number of pop-ups. In addition to default EULAs, any enterprise and MDM specific EULAs can be added while creating a profile. Select the Samsung Knox Privacy Policy link to review the specific Privacy Policy text displayed to device users based on their geographic region. Click Add legal agreements and enter the Agreement Title and Agreement Text.
  • Associate a KNOX License with this Profile — Optionally attach the paid Knox license that was sent to the device during enrollment. Consider speaking with your Samsung Technical representative before using this feature, as it is not required for enrollment.

MDM End user authentication options for KME

Consider your MDM's best user credential validation option from the following supported authentication types:

  • Blank Credentials Based Authentication — An IT admin leaves the Username and Password fields blank in KME, requiring the end user to enter both sets of information on their device during enrollment.
  • Username Only Authentication — An IT admin supplies a Username to KME, but leaves the password field blank, requiring the end user to enter a password on their device during enrollment.
  • SAML Based Authentication — This form of authentication is brokered by an IDP, and is commonly known as Federated authentication.
  • OTP (Token) Authentication — An IT admin generates an enrollment token to be used for enrollment. The Username and/or token is entered into KME to authenticate during the device enrollment.
  • Staging Device Authentication — Allows an IT admin to establish a single set of credentials that gets pushed to the device for device staging.