Knox Mobile Enrollment frequently asked questions
Last updated December 7th, 2023
On this page, you’ll find answers to the most common questions that new customers have about Knox Mobile Enrollment.
Knox Mobile Enrollment is an automated and streamlined EMM enrollment tool that enables you to provision thousands of devices for enterprise management, with less hassle for both IT admins and device users. With our advanced staging and security options that flex to your needs, enroll work devices safely across any network environment or fleet size. Knox Mobile Enrollment is fully integrated with Samsung devices and services for an end-to-end experience.
Knox Mobile Enrollment is a free solution offered by Samsung and can be used without a license. Regular Knox Mobile Enrollment profiles allow you to configure EMM enrollment parameters and secure devices with factory reset protection.
Furthermore, Knox Mobile Enrollment advanced profiles extend the functionality of regular profiles and provide additional device control and security. For more information, see Knox Mobile Enrollment advanced profiles.
You need an active Knox Suite license to use the features of advanced profiles.
1 You can use Knox services once you are enrolled and your information is confirmed by Samsung.
Yes. Knox Mobile Enrollment allows customers to add a certificate to enable their internal network connections.
Root or intermediate certificates can be downloaded and installed after creating a Knox Mobile Enrollment profile, but prior to EMM connectivity, which may require root certificates to proceed.
The following certificate types are supported — CER, PEM, CRT, DER, and CA-BUNDLE (either inside a ZIP file or applied directly). Additionally, CA certificates are supported, not User certificates. Keep in mind, with Android 9 root and intermediate certificates are installed in the device’s default keystore. With Android 10 and higher, root and intermediate certificates are installed in the VPN and App keystores as well as the device default keystore.
Yes, Knox Mobile Enrollment supports enrolling in locally hosted EMM, so your security and performance are tightly maintained. Even in on-premise environments with intranet, use Knox Mobile Enrollment Direct — a PC application — to enroll and configure devices remotely.
Knox Mobile Enrollment cloud and Knox Mobile Enrollment Direct support only Samsung Android devices.
For the most up-to-date list of devices that Knox Mobile Enrollment supports, see Devices secured by Knox.
The following enrollment options are available to Knox Mobile Enrollment:
- Reseller uploads — Authorized Samsung resellers can directly upload purchased device IMEIs to Knox Mobile Enrollment on behalf of their customer(s). For more information on Knox Mobile Enrollment resellers, visit the Knox resellers page.
- Knox Deployment App (KDA) — KDA is an app available on Google Play that is uniquely designed to help streamline the enterprise deployment of Samsung phones and tablets running an appropriate Knox version. The KDA allows an enterprise IT admin to upload devices directly through Bluetooth and Wi-Fi Direct, without the assistance of a reseller. KDA runs on a designated primary device which is required to sign in to Knox Mobile Enrollment. The target device requires a special B2B menu activated by drawing a plus sign (+) gesture on the initial device setup screen.
- QR code — QR code gesture enrollment is an enrollment option for devices running Android 10 or higher. The QR code enrollment process begins by drawing a plus sign (+) gesture on the initial device setup screen. This opens a menu, which when selected, activates the device’s camera in QR code recognition mode. Once a QR code is recognized, a Wi-Fi connection is made (if the proper credentials are contained within the QR code) and enrollment begins. If there are no Wi-Fi credentials within the QR code, then the user is prompted to provide them within the Wi-Fi setup screen.
For Samsung device purchases and a simple onboarding process, see the resellers participating in the Knox Deployment Program.
Yes. Your MSP can use the Knox MSP portal to act as your proxy with Knox Mobile Enrollment features, including device bulk enrollment. Customers with the legacy Knox Mobile Enrollment offerings can also choose to migrate to the Knox MSP portal.
Knox Mobile Enrollment is available in 110 countries worldwide so that customers can have the same device enrollment experience wherever they are operating. For details, please see the list of countries where we operate.
Yes, you can enroll multiple devices from multiple locations in a single place. However, please note that currently, there are two Knox Mobile Enrollment servers globally — one server for devices in the Americas 3 and a second server for the European Union (EU) and the rest of the world. Your Knox Mobile Enrollment admin account is tied to one of these two servers based on the country selected at the time of registration.
For example, if you selected the US as your country during Knox Mobile Enrollment registration, then only devices from the Americas can be enrolled through this account. If you have devices from the EU or other parts of the world, then you will need to create a second Knox Mobile Enrollment admin account selecting a country outside of the Americas during registration.
3 Countries in North America and Central and South America.
Knox Mobile Enrollment (KME) APIs are cloud-based APIs that enable companies to integrate key Knox Mobile Enrollment capabilities into their own custom portal, providing them a single portal for managing profiles and resellers. Use cases include internal IT support portals and management consoles for customers. These APIs are RESTful and return JSON responses. For secure access, API consumers should use the Samsung Knox access token. You can see the guide on these REST APIs to identify the Mobile Device Management (MDM) solution used to manage enterprise devices.
No, a Knox Suite license is not required to create an advanced profile. When a device undergoes out-of-box enrollment and is enrolled in KME, active Knox Suite licenses, if any, are activated. In case no active Knox Suite licenses are detected before device enrollment, you can still create an advanced profile.
If an advanced profile is assigned to a device but there are no Knox Suite seats remaining in your tenant, you won’t be able to use any of the advanced features that are associated with the advanced profile. Even if you successfully enroll with KME, since you don’t have a Knox Suite license, it will automatically be enrolled with a regular profile instead. The device status becomes Enrolled (restricted).
The following table covers three scenarios for license assignments in Knox Mobile Enrollment advanced profiles:
|Devices with a Knox Suite license and available license seats.
|Devices will be activated with advanced profile functionality during the Out of Box Experience flow.
|Devices with a Knox Suite license and unavailable license seats.
|Devices will not be activated with advanced profile functionality.
|Devices without a Knox Suite license
|EMM enrollment and device settings will be applied successfully. Advanced profile functionality won’t be available.
If you have devices with advanced profiles applied to them, you will lose access to the advanced profile features.
After assigning a regular profile on the console, you must factory reset the device to apply the regular profile settings to the device.
Is this page helpful?