Menu

Samsung Knox Deployment App

The Knox Deployment App is a mobile application available from the Google Play Store that is uniquely designed to help streamline the enterprise deployment of Samsung phones and tablets running Knox 2.7.1 or higher. The Knox Deployment App enables customers to seamlessly enroll devices using Knox Mobile Enrollment (KME).

About

The Knox Deployment App provides the flexible option to IT admins needing to bulk enroll end-user devices to KME without having a reseller. Using this app allows IT Admins to reduce their bulk deployment time, by using a master device without factory resetting each device. Once enrolled, an IT admin can easily locate the devices within KME console.

The Knox Deployment App can also be used to enroll devices into KME directly, without the use of any of the Knox Cloud Services resources. However, this permission must be granted to an admin within the KME Administrators & Roles screen. For more information on defining administrator roles, go to: Administrators and roles.

NOTE — The Knox Deployment App does not support the KME enrollment of Samsung devices without Knox (Other Samsung devices).

Bluetooth enrollment

To support Bluetooth-based enrollments, an IT admin can install the Samsung Knox Deployment App on a dedicated admin/master smartphone or tablet device, and select existing KME profiles. If the user’s device is within proximity of the master device, the user device connects to the admin device wirelessly via Bluetooth without a PIN or password requirement. For more information, go to: Bluetooth deployment.

NFC enrollment

With Near Field Communication (NFC) enrolments, a non-B2B device is “bumped” (held closely together) with another smartphone device with Knox Deployment App running and scanning in NFC mode. The dedicated master NFC device displays profiles available for enrollment and end user device enrollment begins once an IT admin selects a profile. The NFC enrollment option is not available to tablet devices. For more information, go to: NFC deployment.

Wi-Fi Direct enrollment

Wi-Fi Direct supported devices can connect directly to each other via a WLAN, without joining a traditional wireless network or Wi-Fi hotspot. Once enabled, the device automatically scans for other supported Wi-Fi direct devices. Once discovered, specific devices can be selected for enrollment data transfer. For more information, go to: Wi-Fi Direct deployment.

NOTE — Using the Knox Deployment App does not apply the profile to the admin/master device. It only broadcasts the profile to the devices in the vicinity.
NOTE — Only end-user devices within physical proximity of the admin/master device with an active Knox Deployment App can enroll to KME.

NOTE —The screens utilized within this guide are from a smartphone. If running the Knox Deployment App on a tablet, the information on the screen would be identical, just optimized to fit the tablet’s display capabilities.

App version information

Knox Deployment App version information and available open source licenses can be referenced from within the ABOUT screen. Samsung recommends you periodically compare the Knox Deployment App’s version to the latest available from Samsung to ensure you have the latest feature set and functionality available.

To launch the Knox Deployment App’s ABOUT screen:

  1. Invoke the drop-down menu from the top, right-hand, side of the device and select About.
  2. Refer to the listed version number and note the version. If needed, select Open source licenses to review the open source licenses available to your Knox deployment.

Prerequisites

To support Bluetooth or NFC enrolments using the Knox Deployment App, the IT admin must:

  1. Secure a Knox Portal account and ensure:
    • Your devices support the Bluetooth, NFC, or Wi-Fi Direct protocols. Check your device specification if unsure.
    • You have at least one profile configured in Knox Configure or Knox Mobile Enrollment portal
  2. Secure the appropriate licenses to enroll devices (through the Samsung Knox Portal).
  3. A Knox Portal account. For more information, go to: Knox accounts.
  4. Install the Knox Deployment on an admin/master device, and login using their Knox Portal ID/password.
  5. Select a KME profile on the master device to apply to the end-user devices.

Using the Knox Deployment App

This section describes the screen flow navigation for a typical Bluetooth or NFC based enrollment using the Knox Deployment App.

  1. Select SIGN IN once the Knox Deployment App launches on the device.
  2. NOTE — If the Knox Deployment App is already running on the device, the initial screen does not display, and the application displays the sign in screen.

  3. Enter the Knox Portal Username and Password to login into the Knox Deployment App.
  4. Select Remember me to display and utilize the username in subsequent Knox Deployment App logins.
  5. NOTE —If you encounter difficulty logging in to the Knox Deployment App, ensure you have either a valid Knox Portal account with privileges for KME. If that is not the issue, select Forgot your email or password? for assistance retrieving your login credentials.
  6. Select SIGN IN to proceed with the device login.

Once you have successfully logged into the Knox Deployment App, a WELCOME screen displays providing first-time options for profile selection and deployment mode selection.

NOTE - Once the Knox Deployment App profile selection and configuration mode are set, the selected options display within their respective fields, the START DEPLOYMENT screen flow enables, and the Welcome portion of screen no longer displays in subsequent logins.

Profile selection

Select a profile to utilize within the Knox Deployment App to apply specific device settings to the master admin device using Bluetooth, NFC, or Wi-Fi Direct to enroll end user devices.

To select a configuration profile using the Knox Deployment App:

  1. Select Tap here to select a profile from the Welcome screen display a list of profile selection options.
  2. Optionally filter whether All profiles are listed for potential selection or just Knox Configure or Knox Mobile Enrollment defined profiles. The most recent profile additions display first within their respective categories.
    • Each listed profile has a brief description to help determine its relevance to a particular device enrollment mode option using the Knox Development App. An important distinction to the profile description is the profile’s relevance to either phones and tablets or wearable devices.
    • If needed, select the Search icon near the top of the screen to display a search field where existing profiles can be located and displayed. The search function only locates filtered profiles.
    • If no profiles are available, a profile requires registration using the KME console at www.samsungknox.com.

  1. Select a listed profile. Once selected, the profile displays upon subsequent logins. The profile is now ready for Bluetooth, NFC, or Wi-Fi Direct deployment mode selection as described in the sections that follow.

Bluetooth deployment

Once profiles are set on the master admin device, the IT admin needs to set Bluetooth as the deployment mode and define the Bluetooth duration interval. End users can then enroll their device by entering the appropriate URL via KME.

To enroll and deploy devices using the KDA Bluetooth option:

  1. From the admin master device, navigate to the SELECT DEPLOYMENT MODE screen and select Bluetooth as the device deployment mode.
  2. If setting up a Wi-Fi connection resource for the device, select Wi-Fi for deployed devices, and select either a saved or available network resource for connection. Wi-Fi credentials are validated upon input, so ensure they are correct. Using Wi-Fi, a device can connect to a specified configured network to communicate externally. The following restrictions apply for the Wi-Fi for deployed devices setting:
    • Only out-of box KME trigger deployments are supported. Trigger deployments utilize a plus sign (+) gesture on a device's Welcome screen to start an out-of-box deployment and bypass the setup wizard.
    • The receiver device must be utilizing Knox version 3.2 or above.
    • Only Note9 and Tab S4 and above devices are supported.
    • Not supported on wearable devices.
    • Wi-Fi credentials passed to the target device are for WEP, WPA and WPA2.

    NOTE — Both the master and receiver device require an Internet connection (Wi-Fi or cellular) for this feature to work.
  3. Set the Bluetooth Duration for either 30 minutes, 1 hour, 3 hours, 5 hours or 8 hours. Select OK to save the update.
    • The Bluetooth duration is deployment activation period for end user devices receiving their profile configuration from the IT admin’s master device. Once the set duration expires, devices cannot enroll with the Knox Deployment App, and the process must be repeated to continue the enrollment of other required devices.
    • NOTE — The Accept automatically option auto accepts pairing requests from enrolling devices. When selected, the pairing dialogue does not display on either the master or receiving device.
      NOTE — The device must remain on for the entire Bluetooth duration, so ensure battery resources are available if selecting a longer duration option.

  4. From the Knox Deployment screen, the admin selects START DEPLOYMENT to initiate the defined Bluetooth Duration interval.
  5. NOTE — As long as the Bluetooth Duration interval is still counting down, and user has not put the application in the background, the device display will not time out.
    NOTE — Bluetooth must be turned on and running on the device to start deployment. If Bluetooth is off, a prompt displays and the admin must select TURN ON to enable Bluetooth.

  6. The device user must go to https://me.samsungknox.com and complete the instructions provided.
  7. The end user then selects FINISH DEPLOYMENT to complete the enrollment.
  8. NOTE — Once completed, the Bluetooth enrolled profile displays within KME with other enrolled profiles. If necessary, refer to the device’s About screen for Knox Deployment App version information and open source license availability.

NFC deployment

Once profiles are set on the master admin device, the IT admin needs sets NFC as the deployment mode. If you are NFC enrolling a device using both KC and KME, use KC first.

To enroll and deploy devices using the KDA NFC option:

  1. From the admin master device, navigate to the SELECT DEPLOYMENT MODE screen and select NFC as the device deployment mode.
  2. NOTE — To deploy, both NFC and Android Beam must be on within the device’s Settings menu.

  3. If setting up a Wi-Fi connection resource for the device, select Wi-Fi for deployed devices, and select either a saved or available network resource for connection. Using Wi-Fi, a device can connect to a specified configured network to communicate externally. The following restrictions apply for the Wi-Fi for deployed devices setting:
    • Only out-of box KME trigger deployments are supported. Trigger deployments utilize a plus sign (+) gesture on a device's Welcome screen to start an out-of-box deployment, and bypass the setup wizard.
    • The receiver device must be utilizing Knox version 3.2 or above
    • Only Note9 and Tab S4 and above devices are supported
    • Not supported on wearable devices
    • Wi-Fi credentials passed to the target device are for WEP, WPA and WPA2.
    NOTE — Both the master and receiver device require an Internet connection (Wi-Fi or cellular) for this feature to work.

  4. Beam enrollment information to the receiving device by holding the admin/master device back-to-back with an NFC enabled and compatible device and then pressing the screen as illustrated below.
  5. Select FINISH DEPLOYMENT on master/admin device once the NFC beam is completed with the end user device.
  6. NOTE — Once completed, the NFC enrolled profile displays within KME with other enrolled profiles. If necessary, refer to the device’s About screen for Knox Deployment App version information and open source license availability.

Wi-Fi Direct deployment

Wi-Fi direct devices can connect directly to each other over a WLAN without a wireless network or Wi-Fi hotspot. Once enabled, the device automatically scans for other supported Wi-Fi direct devices. Once located, specific devices can be identified for data transfers.

NOTE - To successfully enroll in KME using Wi-Fi Direct, the receiver device must be utilizing Knox version 3.2.1 and above or Android P OS and above. Wi-Fi Direct is not supported on wearable devices.

Only out-of-box "trigger" deployments are supported for Wi-Fi Direct device deployments. Trigger deployments utilize a plus sign (+) gesture on a device's Welcome screen to start an out-of-box deployment, and bypass the setup wizard.

To enroll and deploy devices using the KDA Wi-Fi Direct option:

  1. From the admin master device, navigate to the SELECT DEPLOYMENT MODE screen and select Wi-Fi Direct as the device deployment mode.

  1. Once Wi-Fi Direct is selected as the deployment mode, specify whether the Wi-Fi Direct connection is automatic or manual from the following two options:

  • Accept manually - Requires a device user to enter a system generated PIN every time a connection is requested from an enrolling device. This is the default setting, and provides greater security and data protection.
  • Accept automatically - Automatically accept connection requests from enrolling devices.

Both of these Wi-Fi Direct connection options are described in the sections that follow.

Accept connection requests automatically

If wanting to establish an automatic Wi-Fi Direct connection:

  1. Select Accept automatically when prompted from the Select Wi-Fi Direct screen.

  1. Select Connect before the countdown expires to initiate a Wi-Fi Direct connection with the master/admin device. This enables the listed device to share enrollment information via the newly established Wi-Fi Direct connection.
  2. Select FINISH DEPLOYMENT on master/admin device to complete the enrollment date transfer.

Accept connection requests manually

If wanting to establish a manual Wi-Fi Direct connection:

NOTE — A Wi-Fi Direct manual connection requires a PIN be entered correctly before the expiration of a timer. Ensure you correctly document the displayed PIN before pressing Connect to initiate the countdown timer.
  1. Select Accept manually when prompted from the Select Wi-Fi Direct screen.

  1. Document the displayed PIN needed to proceed with the manual Wi-Fi Direct connection.
  2. Select Connect before the countdown expires to proceed. An Accept sharing request screen displays prompting for the required PIN before the countdown timer expires.
  3. Type the required PIN and select Accept. This enables the listed master/admin device to share enrollment information via the newly established Wi-Fi Direct connection.
  4. Select FINISH DEPLOYMENT on master/admin device to complete the enrollment date transfer.