Menu

Profile configuration

Add new profiles, edit existing profiles and delete obsolete profiles as required as devices enroll in KME or require update. Before you can enroll devices into KME, you need to create a profile or edit an existing profile to meet your specific device enrollment requirements. There are no limits to the number of profiles that can be created and made available for assignment.

When creating a profile within the KME console, the following special characters are not permitted (# / $ * % ^ & \ ( ) + ? { } [ ] ).

To create a profile:

  1. Select MDM Profiles from the left-hand navigation menu.
  2. Select the CREATE PROFILE button from the top, right, hand side, of the MDM Profiles screen. A screen displays prompting the admin whether they would like to create a profile supporting either of the two following profile types:
  • ANDROID ENTERPRISE - Select this option to choose what type of out-of-box Android Enterprise enrollment method to use. When selected, manage devices using either the Device Owner (DO) mode, or Profile Owner (PO) mode, as long as PO mode is supported by the selected MDM. This is accomplished via the profile configuration option to let the MDM choose to enroll as DO or PO. DO mode is supported on devices running Knox 2.8 or later, while PO mode is supported on devices running Android 10 or later. For more information, go to: Configure an Android Enterprise profile.
  • DEVICE ADMIN - A profile management method that has been rendered as legacy since the introduction of Android's device owner in Android 5.0, and is now obsolete with Android 11 and later deployments. This profile configuration option has different device setting options not available for DO and PO profiles, including the options to skip the device setup wizard and allow end user cancel enrollment.

Determine the profile type best suited to your deployment needs and refer to one of the following sections:

Configure an Android Enterprise profile

To configure an Android Enterprise supported KME profile.

NOTE - If using a DO or PO supported KME profile with Knox Configure (KC), the KC ProKiosk mode is not supported.
  1. Select the ANDROID ENTERPRISE option from within the Select profile type screen.

  1. Set the following BASIC INFORMATION for the profile:
  • Profile Name - Enter an appropriate profile name to distinguish it from others with similar attributes.
  • Description - Optionally provide a 200 character maximum description to further differentiate this profile from others.
  1. Set the following MDM INFORMATION for the profile:
NOTE - Android Enterprise device owner mode (Fully Managed Device) support is currently limited to Workspace ONE UEM, Blackberry, MobileIron, IBM MaaS360, SOTI, Citrix, ManageEngine, BlackBerry, Sophos Mobile, Microsoft Intune, DuoSTATION, Snow Software, Knox Manage, Samsung SDS EMM, FAMOC, 42Gears, Chimpa, Proget, Miradore, Matrix42, Cortado, and TinyMDM. Samsung anticipates additional MDM partners will follow suit in short order. For more information, contact your MDM directly. For information about the enrollment methods utilized by KME supported MDMs, go to: MDM enrollment methods.
  • Force Device Owner Enrollment - When selected, an admin is displayed the Android Enterprise profile settings screen with settings for configuring a DO supported enrollment profile. If not selected, the admin is also displayed the Android Enterprise profile settings screen (if running Android 10 or later) to let the MDM optionally enroll as a PO (Profile Owner). Profiles created before this most recent release are set to Force Device Owner enrollment. The default for a new profile will also use this setting. For information on the latest Android support, go to: What's new for Android in the enterprise.
  • Let MDM choose to enroll as a Device Owner or Profile Owner - If your MDM supports out-of-box work profile creation via PO mode, select this option and configure PO profile enrollment settings for Android 10 and above devices.
  • Pick your MDM - Use the drop-down menu to select the specific MDM assigned the device owner privilege. If Other is selected, the APK field remains editable for manually entering the path to the APK. For information on supported MDM partners and how to access their own partner support documentation directly from their Websites, go to: Android Enterprise device owner.
NOTE - MDMs with APKs available at Google Managed Play can be selected and their URLs populated within the console dynamically. When a supported MDM is selected, the URL text box displays with the correct MDM APK URL. A green checkmark to the right of the MDM Agent APK field lets an admin know the APK validation was successful. An error message displays if the selected MDM's APK could not be successfully parsed. The Knox team tests each MDM APK before its made available for selection.
  • MDM Agent APK - Add one or more MDM applications downloaded automatically upon device enrollment. The primary APK is the MDM solution component allowing Knox Mobile Enrollment to activate and utilize Knox licenses for enrolled devices.
  • This MDM APK is locally hosted on an Intranet server - Select this option to use an alternative to an externally hosted MDM agent APK. Select this option to use an APK resource from within a local company Intranet. This option is disabled by default.
    • Publically available MDM APK - Select this option to display a checkbox to enter the URL of a publically accessible version of the exact same MDM APK you are hosting within your local company Intranet. By default, Samsung suggests a location based on the MDM name you may have previously selected, but this can be overwritten.
    • Privately available MDM APK - If there is no publically available exact match, select Privately available MDM APK and provide the required information associated with the Intranet hosted MDM APK. This is used for validation during device enrollment, and also to display on the Managed Provisioning screen.
      • The Admin component name is expressed as “package name/class name” For example, com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver for the Workspace ONE UEM.
      • The Admin package signature checksum is the Base64 encoded SHA-256 hash of the MDM APK signature, which is URL friendly. You can get this value from your MDM. Go here for information on the EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM. Alternatively, you can use utilities such as Keytool on Linux to get this value. Go here for additional information.
      • The MDM app name is the name of the app displayed on the Managed Provisioning screen.
      • The App icon is the icon displayed next to the MDM app name. The minimum size is 48 x 48 pixels, and the file format needs to be a PNG file.
  • MDM Server URI - The MDM URI points to the selected MDM's enterprise installation. This portal connects to the URL internally to download specific configurations. Verify you can connect to the MDM before proceeding, as the MDM may be behind a firewall or not available from the public Internet.
  1. Select the CONTINUE button to proceed to the Android Enterprise profile settings screen to set the MDM configuration and device settings. The CONTINUE button is only enabled once each required field in the Android Enterprise profile details screen is successfully populated.

  1. From the MDM CONFIGURATION field, enter the Custom JSON Data (as defined by MDM) to pass the MDM setup configuration using the JSON (JavaScript Object Notation) format. Contact your MDM to obtain their JSON template and enterprise specific settings. For more information about JSON and related technology, go to http://json.org.
NOTE - If Workspace ONE UEM is selected as the Supported MDM, enter custom JSON data that is recognizable to the MDM. An acceptable format would be as follows:
{
"gid": <group id of Workspace ONE UEM tenant>
}
  1. Refer to Root/intermediate certificate field to install certificates on devices prior to EMM enrollment as needed. Additional certificates can be downloaded and installed after KME enrollment profile creation. Select the UPLOAD CERTIFICATE FILE button to upload a supported file type. Once successfully uploaded, the certificate name displays in place of the UPLOAD CERTIFICATE FILE button.
NOTE - The following certificate types are supported: .cer, .pem, .crt, .der, and .ca-bundle (either inside a ZIP file or applied directly), while .p7b, .p7s, .p12, and .pfx file types are not supported. Additionally, CA certificates are supported, not User certificates. Keep in mind, with Android 9 root and intermediate certificates are installed in the device default keystore. With Android 10 and greater, root and intermediate certificates are installed in the VPN and App keystores as well as the device default keystore.
  1. Optionally Enable Dual DAR to secure KME enrollment data with two layers of encryption, even when the device is powered off or in an unauthenticated state. Once enabled, optionally select Use 3rd part crypto app and ADD PACKAGE NAME AND SIGNATURE to enter the package name and signature for use with a 3rd part crypto app. Select SAVE when completed.
NOTE - Dual DAR is only supported on devices running Knox version 3.4 or higher. For an overview on Dual DAR, go to: Dual DAR overview.
  1. Refer to the QR code for enrollment setting and select ADD A QR CODE to optionally generate a QR code to enroll devices with this profile during out-of-box enrollment. QR code plus-sign (+) gesture enrollment is a additional device-side enrollment option in addition to existing Bluetooth, NFC, and Wi-Fi Direct options. A QR code is a unique matrix barcode containing information about its attached item.
NOTE - QR code based enrollment is supported on Android 10 devices only.

Define the following QR code profile configuration settings downloaded to devices during enrollment:

  • Also allow QR code enrollment for devices not uploaded by a reseller - Select this option if you anticipate the need to upload devices from non-resellers. Do not select if there are concerns about unauthorized usage of the QR code data to manipulate Wi-Fi connection data. Once the QR code is generated, this setting also displays within the QR code for this profile screen to display how this setting was defined prior to QR code generation.
  • QR code settings - Set whether Wi-Fi data is added to the QR code data by selecting one of the following options:
    • No Wi-Fi network configuration - Select this option to create a QR code with no network data.
    • Add Wi-Fi network configuration to QR code - Select this option to include security data and proxy traffic gateway information within the generated QR code content. If adding Wi-Fi network configuration data, optionally select the Use device MAC address option to include an Android 10 device's factory encoded hardware MAC address within the QR code's Wi-Fi MAC address. Once the QR code is generated, this setting also displays within the QR code for this profile screen to display how this setting was defined prior to QR code generation. The MAC address also displays within the Device details screen as an additional device MAC address reference point. Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi via the QR code before downloading the profile information associated with the device.
  • SSID name - If adding Wi-Fi network connection data within the QR code, a Service Set Identifier (SSID) is required as a network identifier name. Wireless clients use the SSID to identify and join specific wireless networks. Be sure to provide the correct SSID or the generated Wi-Fi QR code will not work.
  • Security - If adding Wi-Fi network data within the QR code, use the Security drop-down menu to specify connection security as either None, WEP, or WPA/WPA2. Selecting None provides no Wi-Fi network security data within the generated QR code, and is not recommended for private networks. WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.
NOTE - The Samsung Knox team recommends enabling wireless isolation on the network's access point or router resource when adding a Wi-Fi configuration to a QR code. Enabling wireless isolation restricts a wireless computer from accessing other computers connected to the local network, effectively isolating that device on the network. The means to enables wireless isolation differs depending on the router or access point manufacturer. Refer to the documentation available from the manufacturer for their specific instructions on enabling wireless isolation.

Select ADD when completed to create the QR code used with the profile. Select the newly created link within the Device Owner profile setting screen to review the generated QR code for this profile screen and, if necessary, edit or delete the QR code assigned to the enrollment profile.

Once the QR code is generated , a QR code icon displays within the MDM Profiles screen, to the right of the PROFILE NAME, if enrollment was from the profile contained in the actual QR code. The QR code can also be used as an enrollment trigger if the device is pre-assigned to a different profile from the KME console. However, in this case the QR code icon does not display within the MDM Profiles screen.

  1. Set the following from within the DEVICE SETTINGS field in the middle of the Device Owner profile settings screen:
  • Disable system apps - Select this checkbox to ensure all apps are disabled and unavailable to the device owner supported profile.
  • Leave all system apps enabled - Select this checkbox to ensure all pre-installed system apps are enabled and available to the profile. If this option is not selected, only a limited set of default system apps (My Files, Contacts, Google Play Store) display in the device's apps tray. Systems apps reside within the device's /system/app read-only folder and cannot be installed or removed by the device user. When using KME with Knox Configure, be careful when unchecking the Leave all system apps enabled checkbox, as this may lead to conflicts with Knox Configure.
  • Privacy Policy, EULAs and Terms of Service - IT admins can show Knox related EULAs (License EULA) together during initial enrollment to reduce the number of pop-ups. In addition to default EULAs, any enterprise and MDM specific EULAs can be added while creating a profile. Select the Samsung Knox Privacy Policy link to review the specific Privacy Policy text displayed to device users based on their geographic region. If needed, select the ADD LEGAL AGREEMENT button and enter specific Agreement Title and Agreement Text for the profile.
  • Company Name - Specify the MDM organization name displayed at the time of device enrollment.
  1. Once enabled, select the CREATE button to create the device owner supported profile configuration. Refer to the MDM Profiles screen to review the newly added profile.
NOTE - Once created, the device owner supported profile displays within the MDM Profiles screen as a link that can selected to edit the profile's configuration using these same Device owner profile details and Device owner profile settings screens.

Configure a device admin profile

To configure a device admin supported KME profile.

NOTE - Device admin supported KME profiles are not supported with Android 11 and above supported devices.
  1. Select the DEVICE ADMIN option from within the Select profile type screen.

  1. Provide the following BASIC INFO for the DA profile:
  • Profile Name - Enter an appropriate profile name to distinguish it from others with similar attributes.
  • Description - Optionally provide a 200 character maximum description to further differentiate this profile from others.
  1. Set the following MDM INFO for the DA profile:
  • MDM Server URI - The MDM URI points to the selected MDM's enterprise installation. This portal connects to the URL internally to download specific configurations. Verify you can connect to the MDM before proceeding, as the MDM may be behind a firewall or not available from the public Internet.
  • Server URI is not required for my MDM - Select this option if you either do not need to point to the MDM's enterprise installation or are unable due to connection restraints.
  1. Select the CONTINUE button to proceed. The CONTINUE button will only become enabled once all the required fields are successfully populated.

  1. Set the following MDM CONFIGURATION settings the Device Admin profile settings screen:
  • MDM Agent APK - Select this option to add one or more MDM applications downloaded automatically upon device enrollment when first connecting to Wi-Fi. The primary APK is the MDM solution component allowing KME to activate and utilize Knox licenses for enrolled devices.
  • Custom JSON Data (as defined by MDM) - Enter the Custom JSON Data (as defined by MDM) to pass the MDM setup configuration using the JSON (JavaScript Object Notation) format. Contact your MDM to obtain their JSON template and enterprise specific settings. For more information about JSON and related technology, go to http://json.org.
  1. Set the following enrollment, legal, and support information from within the DEVICE SETTING field in the middle of the screen:
  • Skip Setup Wizard - Unselect this option to send the device user through the Setup Wizard. When selected, the device user skips the many setup wizard screens and can start the enrollment process much faster. This setting is selected by default. The US implementation has (Option not currently available on all AT&T devices) appended to the checkbox.
  • Allow end user to cancel enrollment - Selecting this option permits an end-user to cancel enrollment on their device. Leaving this setting unselected enables mandatory device enrollment. The skip setup wizard option functions independently from end-user enrollment cancellation, and both can be enabled at the same time.
  • Privacy Policy, EULAs and Terms of Service - IT admins can show Knox related EULAs (License EULA) together during initial enrollment to reduce the number of pop-ups. In addition to default EULAs, any enterprise and MDM specific EULAs can be added while creating a profile. Select the Samsung Knox Privacy Policy link to review the specific Privacy Policy text displayed to device users based on their geographic region. If needed, select the ADD LEGAL AGREEMENT button to enter the Agreement Title and Agreement Text.
  • Support contact details - Select the EDIT button to update the Company Name, Company Address, Support Phone Number, and Support Email Address displayed on the device upon successful enrollment. If necessary, select Save as default support contact details to use this same information a default contact information. If DO or PO support is enabled for the profile, then only the Customer Name is editable, and the remaining parameters are greyed out.
  • Associate a Knox license with this profile - Select this option to pass the Knox license key directly to the intended device for easier Knox profile configuration.
  1. Once enabled, select the CREATE button to create the device admin supported profile configuration. Refer to the MDM Profiles screen to review the newly added profile.
NOTE - Once created, the device admin supported profile displays within the MDM Profiles screen as a link that can selected to edit the profile's configuration using these same Device admin profile details and Device admin profile settings screens.

Delete or clear profile(s)

Enrollment profiles can be permanently removed from the KME console as they become obsolete or bulk cleared if wanting remove multiple profiles in one operation.

NOTE - Profiles with assigned devices cannot be deleted until the devices are applied to a different profile.

Delete a single profile

To delete an individual existing profile:

  1. Select MDM Profiles from the left-hand navigation menu and select the existing profile you would like to delete.
  2. Select the checkbox of a listed profile you intend to delete from the KME console.
  3. Select the DELETE PROFILE button.
  4. The Delete profile? screen displays listing the selected profile. Select DELETE to proceed with the removal.

Delete or clear profiles from devices in bulk

To clear profiles in bulk from the KME console with a properly formatted CSV file:

NOTE - Once deleted, you can only retrieve the devices again by contacting your reseller.
  1. Select the BULK ACTIONS button from the lower, left-hand, side of the KME console.
  2. If unsure about how to create a CSV file, select the View instructions link under the BULK DELETE option and review the instructions for creating a properly formatted CSV file for bulk device deletions. Select the GOT IT button when finished to navigate to the Bulk Delete screen.

  1. Browse to the location of the CSV file containing the device IDs requiring removal.

  1. Select SUBMIT to initiate the deletion of the device IDs within the CSV file.

Profile QR code assignment

QR code gesture enrollment is a fourth device-side enrollment option for Android 10 devices, in addition to existing Bluetooth, NFC, and Wi-Fi Direct options A QR code is a unique matrix style barcode containing information about its attached item.

The QR code enrollment process begins with a device plus-sign (+) gesture that activates the device's camera in QR code recognition mode. Once a QR code is recognized, a Wi-Fi connection is made and enrollment begins. If there are no Wi-Fi credentials within the QR code, then the device user is prompted to provide them, as these are the Wi-Fi credentials used during device enrollment in Device Owner (DO) mode.

Review existing profile QR code assignments

To review existing device QR code assignments:

  1. Select MDM Profiles from the left-hand navigation menu.

NOTE - A QR code icon displays to the right of the PROFILE NAME if enrollment was from the profile contained in the actual QR code. The QR code can also be used as an enrollment trigger if the device is pre-assigned to a different profile from the KME console. However, in this case the QR code icon does not display.
  1. Select the QR code icon to the right of a listed PROFILE NAME to review the QR code assignment for a selected profile with a QR code configuration applied.

  1. Select the Wi-Fi network configuration option to permit Android 10 devices to connect to a Wi-Fi network by default, using a randomized device MAC address. Select this option to permit allowed devices to securely connect to your Wi-Fi network.
  2. Select DOWNLOAD to archive the QR code configuration. Select PRINT to display a separate dialogue where the QR code print configuration can be modified before the QR code is printed.
  3. Select OK to close the QR code for this profile screen and return to the MDM Profiles screen.

Add a QR code to an existing profile

An existing DO profile without a QR code can be modified to include a QR code as needed. For information on configuring a new DO profile for QR code support, go to: create profiles.

To add a QR code to an existing DO profile:

  1. Select MDM Profiles from the left-hand navigation menu.
  2. Select the PROFILE NAME of a profile without a QR code. Only DO profiles support QR codes.
  3. Select CONTINUE from the Android Enterprise profile settings screen to proceed.
  1. Select the ADD A QR CODE button from the lower left-hand side of the screen.

  1. Add the following QR code profile configuration settings to the existing DO profile:
  • Also allow QR code enrollment for devices not uploaded by a reseller - Select this option if you anticipate the need to upload devices from non-resellers. Do not select if there are concerns about unauthorized usage of the QR code data to manipulate Wi-Fi connection data.
  • QR code settings - Set whether Wi-Fi data is added to the QR code data by selecting one of the following options:
    • No Wi-Fi network configuration - Select this option to create a QR code with no network data.
    • Add Wi-Fi network configuration to QR code - Select this option to include security data and proxy traffic gateway information within the generated QR code content. If adding Wi-Fi network configuration data, optionally select the Use phone MAC address option to include the device's factory encoded hardware MAC address within the QR code's Wi-Fi MAC address. The MAC address also displays within the Device details screen as an additional device MAC address reference point. Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi via the QR code before downloading the profile information associated with the device.
  • SSID name - If adding Wi-Fi network connection data within the QR code, a Service Set Identifier (SSID) is required as a network identifier name. Wireless clients use the SSID to identify and join specific wireless networks. Be sure to provide the correct SSID or the generated Wi-Fi QR code will not work.
  • Security - If adding Wi-Fi network data within the QR code, use the Security drop-down menu to specify connection security as either None, WEP, or WPA/WPA2. Selecting None provides no Wi-Fi network security data within the generated QR code, and is not recommended for private networks. WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.
  1. Select ADD to create the QR code used with the existing profile. Once created, a QR code access icon displays within the MDM Profiles screen. Select the link to review the generated QR code for this profile screen and, if necessary, edit or delete the QR code assigned to the enrollment profile.