- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Knox Mobile Enrollment FAQ
On this page, you'll find answers to the most common questions that new customers have about Knox Mobile Enrollment.
What is Knox Mobile Enrollment?
Knox Mobile Enrollment is an automated and streamlined EMM enrollment tool that enables you to provision thousands of devices for enterprise management, with less hassle for both IT admins and device users. With our advanced staging and security options that flex to your needs, enroll work devices safely across any network environment or fleet size. Knox Mobile Enrollment is fully integrated with Samsung devices and services for an end-to-end experience.
How much does it cost to use Knox Mobile Enrollment?
Knox Mobile Enrollment is a free-of-charge IT solution offered by Samsung. You can use all the features with no license key required. To access Knox Mobile Enrollment, please visit the product page, enroll, sign in (with the enroll* and sign-in buttons at the top), and launch the Knox Mobile Enrollment console.
* You can use Knox services once you are enrolled and your information is confirmed by Samsung.
What are the prerequisites for using Knox Mobile Enrollment?
To use Knox Mobile Enrollment, you need supported Samsung devices running Knox version 3.0 or higher, purchased from a participating reseller in the Knox Deployment Program. *Devices purchased elsewhere can be deployed in bulk by using Knox Deployment App or QR code. The correct firewall exemptions are needed to extend beyond your local and protected network domain and securely connect to the Knox Mobile Enrollment server. For more information, see Knox Mobile Enrollment firewall exceptions.
Certain certificates are required to access my company network. Can I install the additional certificates on my mobile devices through Knox Mobile Enrollment?
Yes. Knox Mobile Enrollment allows customers to add the certificate(s) required to enable their internal network connections.
Root and intermediate certificates can be downloaded and installed after Knox Mobile Enrollment profile creation, but prior to EMM connectivity, which may require root certificates to proceed.
The following certificate types are supported — CER, PEM, CRT, DER, and CA-BUNDLE (either inside a ZIP file or applied directly). Additionally, CA certificates are supported, not User certificates. Keep in mind, with Android 9 root and intermediate certificates are installed in the device's default keystore. With Android 10 and higher, root and intermediate certificates are installed in the VPN and App keystores as well as the device default keystore.
Does Knox Mobile Enrollment support on-premise deployment or intranets?
Yes. Knox Mobile Enrollment allows customers to add the certificate(s) required to enable their internal network connections.
Knox Mobile Enrollment supports enrolling in locally hosted EMM, so your security and performance are tightly maintained. Even in on-premise environments with intranet only, use Knox Mobile Enrollment Direct — a PC application — to enroll and configure devices remotely.
What platforms, operating systems, and devices do Knox Mobile Enrollment support? And which specific versions does it support?
As of March 2022, Knox Mobile Enrollment supports the following platforms and operating systems:
- Knox Mobile Enrollment — Samsung Android Only (Android 8, Knox 3.0 or higher)
- Knox Mobile Enrollment Direct — A laptop or desktop computer running Windows 10 for the PC app, and Samsung Android Only (Android 11, Knox 3.7.1 or higher) for target devices
Each Knox solution, including Knox Mobile Enrollment and Knox Mobile Enrollment Direct, is supported on the latest five major Android versions (1 latest version on the first major release in the year, plus 4 previous versions).
What types of EMM does Knox Mobile Enrollment support?
For supported EMMs, please visit the Knox partner solutions page. You can also manually enable EMMs that are not on the list.
How can I register devices to Knox Mobile Enrollment?
The following enrollment options are available to Knox Mobile Enrollment:
- Reseller uploads — Authorized Samsung resellers that are participating in the Knox Deployment Program can upload purchased device IMEIs directly onto Knox Mobile Enrollment on behalf of their customer(s). For more information on Knox Mobile Enrollment resellers, visit the Knox resellers page.
- Knox Deployment App (KDA) — The KDA is a mobile application available from the Google Play Store that is uniquely designed to help streamline the enterprise deployment of Samsung phones and tablets running an appropriate Knox version. The KDA allows an enterprise IT administrator to upload devices directly through NFC*, Bluetooth, and Wi-Fi Direct, without the assistance of a reseller. The KDA runs on a designated primary device which is required to log in to Knox Mobile Enrollment. The target device requires a special B2B menu activated by pressing a plus sign (+) on the initial device setup screen.
- QR code — QR code gesture enrollment is an enrollment option for Android 10+ devices. The QR code enrollment process begins by pressing the plus sign (+) on the initial device setup screen. This opens a menu, which when selected, activates the device's camera in QR code recognition mode. Once a QR code is recognized, a Wi-Fi connection is made (if the proper credentials are contained within the QR code) and enrollment begins. If there are no Wi-Fi credentials within the QR code, then the user is prompted to provide them within the Wi-Fi setup screen.
* NFC is no longer supported on Android 11 and upward
Where can I find the list of resellers that can support bulk device registration for Knox Mobile Enrollment?
For Samsung device purchase and a simple onboarding process, see the resellers participating in the Knox Deployment Program.
Our devices are managed by an MSP. Does Knox Mobile Enrollment allow an MSP to use Knox Mobile Enrollment on our behalf?
Yes. Your MSP can use the Knox MSP portal to act as your proxy with Knox Mobile Enrollment features, including device bulk enrollment. Customers with the legacy Knox Mobile Enrollment offerings can also choose to migrate to the Knox MSP portal.
Where can I find the list of countries where Knox Mobile Enrollment is available?
Knox Mobile Enrollment is available in 110 countries worldwide so that customers can have the same device enrollment experience wherever they are operating. For details, please see the list of countries where we operate.
Can I enroll devices brought from multiple locations with a single Knox Mobile Enrollment service?
Yes, you can enroll multiple devices from multiple locations in a single place. However, please note that currently, there are two Knox Mobile Enrollment servers globally — one server for devices in the Americas* and a second server for the European Union (EU) and the rest of the world. Your Knox Mobile Enrollment Admin account is tied to one of these two servers based on the country selected at the time of registration.
For example, if you selected the US as your country during Knox Mobile Enrollment registration, then only devices from the Americas can be enrolled through this account. If you have devices from the EU or other parts of the world, then you will need to create a second Knox Mobile Enrollment Admin account selecting a country outside of the Americas during registration.
* Countries in North America and Central and South America
Can I enable Knox Mobile Enrollment by integrating it with the existing web console instead of using the Knox Mobile Enrollment console?
Knox Mobile Enrollment (KME) APIs are cloud-based APIs that enable companies to integrate key Knox Mobile Enrollment capabilities into their own custom portal, providing them a single portal for managing profiles and resellers. Use cases include internal IT support portals and management consoles for customers. These APIs are RESTful and return JSON responses. For secure access, API consumers should use the Samsung Knox access token. You can see the guide on these REST APIs to identify the Mobile Device Management (MDM) solution used to manage enterprise devices.
Do I need a Knox Suite license to create an advanced profile?
No, a Knox Suite license is not required to create an advanced profile. When a device undergoes out-of-box enrollment and is enrolled in KME, active Knox Suite licenses, if any, are activated. In case no active Knox Suite licenses are detected before device enrollment, you can still create an advanced profile.
What happens if I don't have a Knox Suite license at the enrollment stage?
If an advanced profile is assigned to a device but there are no Knox Suite seats remaining in your tenant, you won't be able to use any of the advanced features that are associated with the advanced profile. Even if you successfully enroll with KME, since you don't have a Knox Suite license, it will automatically be enrolled with a regular profile instead. The device status becomes Enrolled (restricted).
What is the relationship between advanced profiles and Knox Suite license assignments?
The following table covers three scenarios for license assignments in Knox Mobile Enrollment advanced profiles:
|
Scenario |
Outcome |
Device status |
|---|---|---|
|
Devices with a Knox Suite license and available license seats |
Devices will be activated with advanced profile functionality during the Out of Box Experience flow. |
Enrolled |
|
Devices with a Knox Suite license and unavailable license seats |
Devices will not be activated with advanced profile functionality. |
Enrolled (restricted) |
|
Devices without a Knox Suite license |
EMM enrollment and device settings will be applied successfully. Advanced profile functionality won't be available. |
Enrolled (restricted) |
What happens to my advanced profiles when my Knox Suite license expires?
If you have devices with advanced profiles applied to them, you will lose access to the advanced profile features.
How do I disable advanced profile features on a device?
After assigning a regular profile on the console, you must factory reset the device to apply the regular profile settings to the device.
Can I get support from you for any issues and questions I may run into with Knox Mobile Enrollment?
Samsung provides various KBAs in the Support section of SamsungKnox.com for customers to find solutions independently. For issues that can't be solved using our digital resources, you can sign up on SamsungKnox.com to send us inquiries or create support tickets. Learn how to create support tickets.
