Enroll and unenroll devices

This section covers how to enroll and unenroll devices using KME. In addition to the information described in this topic, a device can be enrolled using the Knox Deployment App (KDA) to either enroll a device using Bluetooth, NFC or Trigger based enrollment. For more information, go to: Using the Knox Deployment App (KDA).

Enroll your devices

Samsung recommends a viable device enrollment plan, as an IT department can become overwhelmed with time-consuming, monotonous tasks that, by themselves, add little value to the organization. An enrollment program helps an organization's IT administrator account for all the devices proliferating their enterprise, and ensure the devices do not introduce security risks through configuration vulnerabilities and malware because they lack aggressive security controls.

IT admins can enroll up to 10,000 devices using Knox Mobile Enrollment. If your enterprise needs to enroll more than 10,000, contact Samsung Knox Support.

IT admins can provide end users with the following instructions to complete device enrollment:

  1. For out of box enrollment, turn on your device and connect to the Internet.
  2. When you receive a prompt to Enroll with Knox, tap Continue. If you have any questions or concerns, access the support link on this screen.
  3. Read the SECURITY STATEMENT and the Knox PRIVACY POLICY and tap I agree to all of the above; tap Next.
  4. Enter the User ID and Password provided by your IT admin and tap Confirm.
  5. Your credentials are validated and your device is enrolled in your organization’s enterprise IT environment.
NOTE — Root and intermediate certificates can be downloaded and installed after KME enrollment profile creation, but prior to EMM connectivity which may require root certificates to proceed.

Unenroll devices

To unenroll devices, you need to first remove the IMEI from the Knox Mobile Enrollment portal. After that, a factory reset or MDM console initiated unenrollment can be performed to completely recover the device. If needed, contact your carrier or reseller to obtain the list of the IMEIs of your users’ devices.

Post enrollment MDM client updates

Devices enrolled in KME receive MDM client updates if enrolled directly through the MDM console.

Applications must be available in Google Play and an auto-update of Google Play must be enabled.

NOTE — Keep in mind when using additional services with Knox Mobile Enrollment—such as Knox Configure (KC)— if a device upload is approved for KME it is also automatically approved in KC, regardless of the KC upload approval setting.

User credential based enrollment types

There are three different kinds of user credential based enrollment types, including:

  1. A single username and password combination, or a shared secret, used to enroll hundreds of devices. This form of enrollment is called staging.
    • This credential is passed in the CSV file
    • Alternatively, some MDMs use a shared secret to enroll multiple devices
  2. A per device credential configured in the CSV file.
    • It is difficult for admins to associate each device to a user beforehand, so this method (#2) has its shortcomings
    • Consequently, enrollment type #1 is preferable to #2
  3. A device can be configured without any credentials, but some MDMs do not support this method, so be sure to verify. In most of the cases, it requires end users to input their credentials.
    • Enrollment is not complete until credentials are provided by the end user. This can result in unmanaged and stolen devices.

Enroll devices without end user activity

You can enroll devices with end user credentials configured on each device before distributing them to their intended users. A staging credential ensures the device is enrolled, but still requires end user input to finalize registration.