Menu

Profile configuration

Add new profiles, edit existing profiles and delete obsolete profiles as required as devices enroll in KME or require update. Before you can enroll devices into KME, you need to create a profile or edit an existing profile to meet your specific device enrollment requirements. There are no limits to the number of profiles that can be created and made available for assignment.

When creating a profile within the KME console, the following special characters are not permitted (# / $ * % ^ & \ ( ) + ? { } [ ] ).

To create a profile:

  1. Go to Profiles.
  2. Select CREATE PROFILE, then select the type of profile you would like to create:
    • ANDROID ENTERPRISE — Select this option to choose which out-of-box Android Enterprise enrollment method to use. When selected, the profile manages devices in Device Owner (DO) mode. For more information, go to the Configure an Android Enterprise profile section.
    • DEVICE ADMIN — A profile management method that has been rendered as legacy since the introduction of Android's device owner in Android 5.0, and is now obsolete with Android 11 and later deployments. This profile configuration option has different device setting options not available for DO and PO profiles, including the options to skip the device setup wizard and allow the device user to cancel enrollment.
    select type
  3. Determine the profile type best suited to your deployment needs and refer to one of the following sections:

Configure an Android Enterprise profile

To configure a KME profile supported by Android Enterprise

NOTE — When using a DO- or PO-supported KME profile with Knox Configure (KC), the KC ProKiosk mode is not supported.
  1. Select ANDROID ENTERPRISE on the Select profile type page. profile creation screen
  2. Set the following BASIC INFORMATION for the profile:
    • Profile Name — Enter an appropriate profile name to distinguish it from others with similar attributes.
    • Description — Optionally provide a 200 character maximum description to further differentiate this profile from others.
  3. Set the following MDM INFORMATION for the profile:
    • Pick your MDM — Select the specific MDM assigned the device owner privilege. Support for fully managed Android devices is available for the following MDMs:
      Workspace ONE UEMBlackberry UEMIvanti MobileIron CloudWizzy EMM
      IBM MaaS360SOTI MobiControlCitrix Endpoint ManagementArs Nova Systems
      TinyMDMManageEngine Endpoint CentralSophos MobileDeviceMax MDM
      Microsoft IntuneDuoSTATION MDMSnow Software Snow Device ManagerProMDM Enterprise Mobility
      Samsung Knox ManageVanguard VostraPulsus MDMMobiltec Cloud4Mobile
      Mitsogo Hexnode MDMAppTec360 EMMWenable WeGuardCrypto VoIP MDM
      For information about the enrollment methods utilized by KME supported MDMs, go to MDM enrollment methods.

      If Other is selected, the APK field remains editable for manually entering the path to the APK. For information on supported MDM partners and how to access their own partner support documentation directly from their web pages, see Android Enterprise device owner.

      NOTE — MDMs with APKs available through Managed Google Play can be selected and their URLs populated within the console dynamically. When a supported MDM is selected, the URL text box displays with the correct MDM APK URL. A green checkmark to the right of the MDM Agent APK field lets an admin know the APK validation was successful. An error message displays if the selected MDM's APK could not be successfully parsed. The Knox team tests each MDM APK before its made available for selection.
    • MDM Agent APK — Add one or more MDM apps to download automatically upon device enrollment. The primary APK is the MDM solution component that allows KME to activate Knox licenses for enrolled devices.
    • This MDM APK is locally hosted on an intranet server — Select this option to use an APK resource from within a local company Intranet. This option is disabled by default.
      • Publically available MDM APK — Select this option to enter the URL of a publically accessible version of the same MDM APK you are hosting within your enterprise intranet. By default, Samsung suggests a location based on the MDM name you may have previously selected, but this can be overwritten.
      • Privately available MDM APK — If there is no publicly available exact match, select this option and provide the required information associated with the Intranet hosted MDM APK. This is used for validation during device enrollment, and also to display on the Managed Provisioning page.
        • The Admin component name is expressed as “package name/class name” For example, com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver for the Workspace ONE UEM.
        • The Admin package signature checksum is the Base64 encoded SHA-256 hash of the MDM APK signature, which is URL friendly. You can get this value from your MDM. Go here for information on the EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM. Alternatively, you can use utilities such as Keytool on Linux to get this value. Go here for additional information.
        • The MDM app name is the name of the app displayed on the Managed Provisioning page.
        • The App icon is the icon displayed next to the MDM app name. The minimum size is 48 x 48 pixels, and the file format needs to be a PNG file.
    • MDM Server URI — The MDM URI points to the selected MDM's enterprise installation. This portal connects to the URL internally to download specific configurations. Verify you can connect to the MDM before proceeding, as the MDM may be behind a firewall or not available from the public Internet.
  4. Click CONTINUE to proceed to the Android Enterprise profile settings page to set the MDM configuration and device settings. profile settings Android Enterprise
  5. Under MDM CONFIGURATION, enter the Custom JSON Data (as defined by MDM) to pass the MDM setup configuration using the JSON (JavaScript Object Notation) format. Contact your MDM to obtain their JSON template and enterprise specific settings.
    NOTE — If Workspace ONE UEM is selected as the Supported MDM, enter custom JSON data that is recognizable to the MDM. An acceptable format would be as follows:
    {
        "gid": <group id of Workspace ONE UEM tenant>
    }
                        
  6. Refer to Root/intermediate certificate field to install certificates on devices prior to EMM enrollment as needed. Additional certificates can be downloaded and installed after KME enrollment profile creation. Select the UPLOAD CERTIFICATE FILE button to upload a supported file type.
    NOTE — The following certificate file formats are supported — CER, PEM, CRT, DER, and CA-BUNDLE (either inside a ZIP file or applied directly). The P7B, P7S, P12, and PFX formats are not supported. Additionally, CA certificates are supported, not user certificates. With Android 9, root and intermediate certificates are installed in the device default keystore. With Android 10 and higher, root and intermediate certificates are installed in the VPN and app keystores as well as the device's default keystore.
  7. (Optional) Select Enable DualDAR to secure the KME enrollment data with two layers of encryption, which applies even when the device is powered off or in an unauthenticated state. Select Enable DualDAR, then click enable to enable this option or cancel to proceed without DualDAR. Once enabled, you can also select Use 3rd party crypto app and select ADD PACKAGE INFORMATION to enter the package name and signature for use with a third-party crypto app. Click SAVE when finished.
    NOTE — To use DualDAR on devices, you need a premium or DualDAR license. Contact your reseller to purchase a DualDAR license. DualDAR is only supported on devices running Knox version 3.4 or higher. As of 22.03, DualDAR compatibility has been expanded and is supported for Samsung Galaxy devices in fully managed mode, starting with the Samsung Galaxy S22. If there is no DualDAR license available or active for the account or the device, the device will be locked within 24 hours of enabling the DualDAR option. Once the device is locked, it is rendered unusable. The only way to unlock the device and make it usable is to reset the device to factory settings. For more information, see DualDAR overview.
  8. To enroll devices with a QR code, select ADD A QR CODE. QR code plus-sign (+) gesture enrollment is an additional device-side enrollment option in addition to existing Bluetooth, NFC, and Wi-Fi Direct options. QR-code-based enrollment is supported on Android 10 and higher devices.

    Define the following QR code profile configuration settings downloaded to devices during enrollment:

    • Also allow QR code enrollment for devices not uploaded by a reseller — Select this option if you anticipate the need to upload devices from non-resellers. Do not select if there are concerns about unauthorized usage of the QR code data to manipulate Wi-Fi connection data. Once the QR code is generated, this setting also displays within the QR code for this profile page to display how this setting was defined prior to QR code generation.
    • QR code settings — Set whether Wi-Fi data is added to the QR code data by selecting one of the following options:
      • No Wi-Fi network configuration — Select this option to create a QR code with no network data.
      • Add Wi-Fi network configuration to QR code — Select this option to include security data and proxy traffic gateway information within the generated QR code content. When you add Wi-Fi network configuration data, optionally select the Use device MAC address option to include an Android 10 device's factory encoded hardware MAC address within the QR code's Wi-Fi MAC address. Once the QR code is generated, this setting also displays on the QR code for this profile page to display how this setting was defined prior to QR code generation. The MAC address also displays on the Device details page as an additional device MAC address reference point. Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi through the QR code before downloading the profile information associated with the device.
    • SSID name — When adding Wi-Fi network connection data within the QR code, a Service Set Identifier (SSID) is required as a network identifier name. Wireless clients use the SSID to identify and join specific wireless networks. Be sure to provide the correct SSID or the generated Wi-Fi QR code will not work.
    • Security — When adding Wi-Fi network data within the QR code, use the Security drop-down menu to specify connection security as either None, WEP, or WPA/WPA2. Selecting None provides no Wi-Fi network security data within the generated QR code, and is not recommended for private networks. WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.
    NOTE — The Samsung Knox team recommends enabling wireless isolation on the network's access point or router resource when adding a Wi-Fi configuration to a QR code. Enabling wireless isolation restricts a wireless computer from accessing other computers connected to the local network, effectively isolating that device on the network. The means to enables wireless isolation differs depending on the router or access point manufacturer. Refer to the documentation available from the manufacturer for their specific instructions on enabling wireless isolation.

    Select ADD when completed to create the QR code used with the profile. Select the newly created link within the Android enterprise profile settings page to review the generated QR code for this profile page and, if necessary, edit or delete the QR code assigned to the enrollment profile.

    Once the QR code is generated, a QR code icon displays on the Profiles page to the right of the PROFILE NAME, if enrollment was from the profile contained in the actual QR code. The QR code can also be used to trigger enrollment if the device is pre-assigned to a different profile from the KME console. However, in this case the QR code icon does not display on the Profiles page.

  9. Configure the following under DEVICE SETTINGS on the Android enterprise profile settings page:
    • Disable system applications — This option ensures that all apps are disabled and unavailable to the device owner supported profile.
    • Leave all system apps enabled — This option ensures that all pre-installed system apps are enabled and available to the profile. If this option is not selected, only a limited set of default system apps (My Files, Contacts, Google Play Store) display in the device's apps tray. Systems apps reside within the device's /system/app read-only folder and cannot be installed or removed by the device user. When using KME with Knox Configure, be careful when unchecking the Leave all system apps enabled checkbox, as this may lead to conflicts with Knox Configure.
    • Privacy Policy, EULAs and Terms of Service — You can show Knox related EULAs (License EULA) together during initial enrollment to reduce the number of pop-ups. In addition to default EULAs, any enterprise and MDM specific EULAs can be added while creating a profile. Select the Samsung Knox Privacy Policy link to review the specific Privacy Policy text displayed to device users based on their geographic region. If needed, select the ADD LEGAL AGREEMENT button and enter specific Agreement Title and Agreement Text for the profile.
    • Company Name — Specify the MDM organization name displayed at the time of device enrollment.
    • Enrollment screens — Edit this setting to choose the enrollment screens you want shown, such as the setup wizard. By default, the setup wizard is hidden for both the fully managed and work profile on company-owned device modes.
  10. Once enabled, select CREATE to create the device owner supported profile configuration. Refer to the Profiles page to review the newly added profile.
    NOTE — Once created, the device owner supported profile displays on the Profiles page as a link that can selected to edit the profile's configuration using these same Android enterprise profile details and Android enterprise profile settings pages.

Configure a device admin profile

To configure a device admin supported KME profile.

NOTE — Device admin supported KME profiles are not supported with Android 11 and above supported devices.
  1. Select the DEVICE ADMIN option on the Select profile type page. device admin details
  2. Provide the following BASIC INFORMATION for the DA profile:
    • Profile Name — Enter an appropriate profile name to distinguish it from others with similar attributes.
    • Description — Optionally provide a 200 character maximum description to further differentiate this profile from others.
  3. Set the following MDM INFO for the DA profile:
    • MDM Server URI — The MDM URI points to the selected MDM's enterprise installation. This portal connects to the URL internally to download specific configurations. Verify you can connect to the MDM before proceeding, as the MDM may be behind a firewall or not available from the public Internet.
    • Server URI is not required for my MDM — Select this option if you either do not need to point to the MDM's enterprise installation or are unable due to connection restraints.
  4. ClickCONTINUE to proceed.
  5. Set the following MDM CONFIGURATION settings on the Device Admin profile settings page:
    • MDM Agent APK — Select this option to add one or more MDM applications to be downloaded automatically upon device enrollment when first connecting to Wi-Fi. The primary APK is the MDM solution component allowing KME to activate and utilize Knox licenses for enrolled devices.
    • Custom JSON Data (as defined by MDM) — Enter the Custom JSON Data (as defined by MDM) to pass the MDM setup configuration using the JSON (JavaScript Object Notation) format. Contact your MDM to obtain their JSON template and enterprise specific settings.
  6. Set the following enrollment, legal, and support information under DEVICE SETTINGS:
    • Skip Setup Wizard — Unselect this option to send the device user through the Setup Wizard. When selected, the device user skips the many setup wizard screens and can start the enrollment process much faster. This setting is selected by default. The US implementation has (Option not currently available on all AT&T devices) appended to the checkbox.
    • Allow end user to cancel enrollment — Selecting this option permits an end-user to cancel enrollment on their device. Leaving this setting unselected enables mandatory device enrollment. The skip setup wizard option functions independently from end-user enrollment cancellation, and both can be enabled at the same time.
    • Privacy Policy, EULAs and Terms of Service — IT admins can show Knox related EULAs (License EULA) together during initial enrollment to reduce the number of pop-ups. In addition to default EULAs, any enterprise and MDM specific EULAs can be added while creating a profile. Select the Samsung Knox Privacy Policy link to review the specific Privacy Policy text displayed to device users based on their geographic region. If needed, select the ADD LEGAL AGREEMENT button to enter the Agreement Title and Agreement Text.
    • Support contact details — Select ADD to update the Company Name, Company Address, Contact phone number, and Contact email address displayed on the device upon successful enrollment. If necessary, select Save as default support contact details to use this same information a default contact information. If DO or PO support is enabled for the profile, then only the Customer Name is editable, and the remaining parameters are greyed out.
    • Associate a Knox license with this profile — Select this option to pass the Knox license key directly to the intended device for easier Knox profile configuration.
  7. Once enabled, select CREATE to create the device admin supported profile configuration. Refer to the Profiles page to review the newly added profile.
    NOTE — Once created, the device admin supported profile displays on the Profiles page as a link that can selected to edit the profile's configuration using these same Device Admin profile details and Device Admin profile settings pages.

Delete or clear profile(s)

Enrollment profiles can be permanently removed from the KME console as they become obsolete or bulk cleared if wanting remove multiple profiles in one operation.

NOTE — Profiles with assigned devices cannot be deleted until the devices are applied to a different profile.

Delete a single profile

To delete an individual existing profile:

  1. Go to Profiles and select the existing profile you would like to delete.
  2. Select the checkbox of a listed profile you intend to delete from the KME console.
  3. Click DELETE PROFILE.
  4. The Delete profile? dialog displays listing the selected profile. Click DELETE to proceed with the removal.

Profile QR code assignment

QR code gesture enrollment is a fourth device-side enrollment option for Android 10 and higher devices, in addition to existing Bluetooth, NFC, and Wi-Fi Direct options A QR code is a unique matrix style barcode containing information about its attached item.

The QR code enrollment process begins with a device plus-sign (+) gesture that activates the device's camera in QR code recognition mode. Once a QR code is recognized, a Wi-Fi connection is made and enrollment begins. If there are no Wi-Fi credentials within the QR code, then the device user is prompted to provide them, as these are the Wi-Fi credentials used during device enrollment in Device Owner (DO) mode.

Review existing profile QR code assignments

To review existing device QR code assignments:

  1. Go to Profiles. profiles qr code
  2. Select the QR code icon to the right of a listed PROFILE NAME to review the QR code assignment for a selected profile with a QR code configuration applied.
  3. Select the Wi-Fi network configuration option to permit Android 10 devices to connect to a Wi-Fi network by default, using a randomized device MAC address. Select this option to permit allowed devices to securely connect to your Wi-Fi network.
  4. Click DOWNLOAD to archive the QR code configuration. Click PRINT to display a separate dialogue where the QR code print configuration can be modified before the QR code is printed.
  5. Click OK to close the QR code for this profile page and return to the Profiles page.

Add a QR code to an existing profile

An existing DO profile without a QR code can be modified to include a QR code as needed. For information on configuring a new DO profile for QR code support, go to: create profiles.

To add a QR code to an existing DO profile:

  1. Go to Profiles.
  2. Select the PROFILE NAME of a profile without a QR code. Only DO profiles support QR codes.
  3. Click CONTINUE.
  4. Click ADD A QR CODE.
  5. Add the following QR code profile configuration settings to the existing DO profile:
    • Also allow QR code enrollment for devices not uploaded by a reseller — Select this option if you anticipate the need to upload devices from non-resellers. Do not select if there are concerns about unauthorized usage of the QR code data to manipulate Wi-Fi connection data.
    • QR code settings — Set whether Wi-Fi data is added to the QR code data by selecting one of the following options:
      • No Wi-Fi network configuration — Select this option to create a QR code with no network data.
      • Add Wi-Fi network configuration to QR code — Select this option to include security data and proxy traffic gateway information within the generated QR code content. When you add Wi-Fi network configuration data, optionally select the Use phone MAC address option to include the device's factory encoded hardware MAC address within the QR code's Wi-Fi MAC address. The MAC address also displays within the Device details screen as an additional device MAC address reference point. Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi via the QR code before downloading the profile information associated with the device.
    • SSID name — When adding Wi-Fi network connection data within the QR code, a Service Set Identifier (SSID) is required as a network identifier name. Wireless clients use the SSID to identify and join specific wireless networks. Be sure to provide the correct SSID or the generated Wi-Fi QR code will not work.
    • Security — When adding Wi-Fi network data within the QR code, use the Security drop-down menu to specify connection security as either None, WEP, or WPA/WPA2. Selecting None provides no Wi-Fi network security data within the generated QR code, and is not recommended for private networks. WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.
  6. Select ADD to create the QR code used with the existing profile. Once created, a QR code access icon displays on the Profiles page. Select the link to review the generated QR code for this profile page and, if necessary, edit or delete the QR code assigned to the enrollment profile.