MDM enrollment methods

Fully managed device MDM enrollment

Device owner (DO) is a privilege granted to an MDM to apply policies to an Android Enterprise device during setup and enrollment. Using Knox Mobile Enrollment, IT admins and device users can create an MDM profile and let the MDM agent install as a DO on devices running Knox 2.8 and higher.

For information on supported DO MDM partners and how to access their own partner support documentation directly from their websites, see Android Enterprise device owner. For information about configuring a DO-supported KME enrollment profile, see create a profile.

Legacy device admin MDM enrollment matrix

The table below displays device admin (DA) enrollment methods used by KME-supported MDMs. Keep in mind that DA is a legacy implementation and shouldn't be deployed on devices that support Android Enterprise.

For information configuring a DA supported KME enrollment profile, go to: create a profile.

The feature descriptions for listed MDMs are as follows:

  • End user credential entry – A KME admin can associate both a username and password/secret with device(s) in the KME portal. If no pass through is supported for a particular MDM, the device user may be prompted to enter credentials directly. However, these are associated with user info stored by the MDM, and not KME.

  • Username pass through – The username assigned to the device(s) in KME is automatically passed through to the MDM. The MDM may still prompt the device user for a password/secret for validation, depending on how it has been configured.

  • Full credential pass through – Both the username and password/secret assigned to the device(s) in KME are automatically passed through to the MDM. There is no need for the device user to be prompted for credentials (use name and password/secret) to be validated.