Back to top
Home / Knox Mobile Enrollment / How-to guides / Manage profiles /

Android Enterprise profiles

Last updated April 3rd, 2024

Knox Mobile Enrollment lets you create, assign, and manage Android Enterprise profiles that are either fully managed or work profiles on company-owned devices running Android 11 or higher.

Before you can enroll devices, you need to create a profile or edit an existing profile. Additionally, there are no limits to the number of profiles you can create and assign to devices.

Create a profile

To create an Android Enterprise profile:

When creating a profile within the console, the folowing characters aren’t allowed:

# / $ * % ^ & \ ( ) + ? { } [ ]

  1. On the Profiles page, click Create profile.

  2. Select Android Enterprise as the profile type.

    android enterprise profile

  3. Enter a Profile name.

  4. (Optional) Enter a description containing up to 200 characters.

  5. Select an EMM. See Knox partner solutions for a list of EMMs that Knox Mobile Enrollment is integrated with. You can search for an EMM by its EMM name, ordered alphabetically, and grouped first by whether it’s approved by the Knox Validated Program. If you select Other, manually enter the EMM agent APK. This APK lets you add one or more EMM apps that’ll be downloaded automatically upon device enrollment. To use this APK resource from within a local intranet, select This EMM APK is locally hosted on an intranet server.

  6. If the EMM APK is locally hosted, you must configure Publicly available EMM APKs — the URL of a publicly accessible version of the same EMM APK you are hosting within your enterprise intranet.

  7. If the EMM APK isn’t locally hosted, you must configure Privately available EMM APKs — this information is used for validation during device enrollment and display on the Managed Provisioning page. You’ll need to provide the following information:

    • Admin component page — This is displayed as package name/class name.

    • Admin package signature checksum — This is the Base64 encoded SHA-256 hash of the EMM APK signature, which is URL friendly. You can get this value from your EMM. See the Android Device admin signature checksum documentation for more information. Alternatively, you can use the Keytool utility on Linux to get the signature checksum value.

    • EMM app name — This is the name of the app displayed on the Managed Provisioning page.

    • App icon — This icon is displayed next to the EMM app name. The minimum size is 48 X 48 pixels in PNG file format.

  8. Enter the EMM server URI. This URI points to the EMM’s installation portal for downloading specific EMM configurations. Verify you can connect to the EMM, since it may be firewall-protected or unavailable on public networks.

  9. Click Continue to set the Android Enterprise profile settings.

    android enterprise profile

  10. (Optional) Provide Custom JSON Data (as defined by EMM) to set up the EMM. Contact your EMM’s vendor to obtain their JSON template and enterprise-specific settings.

  11. (Optional) Specify a root/intermediate certificate that will be installed on devices during device enrollment. Only certificates with .cer, .pem, .crt, .der and .ca-bundle file types are supported. This feature is available on devices running Android 9 or later.

  12. (Optional) Enable DualDAR to secure the enrollment data with two layers of encryption. Once enabled, optionally check Use 3rd party crypto app and add the package name, package URL, and signature for use with a third-party crypto app. Click Save when finished.

    You must have a Knox DualDAR license which you can purchase from Knox license resellers. See DualDAR overview for more information.

  13. Click Add a QR code to enroll devices with a QR code.

    QR-code-based enrollment is supported on devices running Android 10 or higher.

  14. Set the QR code settings:

    1. You can allow QR code enrollment for devices not uploaded by a reseller.

    2. Set whether Wi-Fi data is added to the QR code data by selecting one of the following options:

      1. Select No Wi-Fi network configuration to create a QR code with no network data.

      2. Select Add Wi-Fi network configuration to QR code to include security data and proxy traffic gateway information within the generated QR code content. Optionally check Use device MAC address to include the factory-encoded hardware MAC address within the QR code’s Wi-Fi MAC address. Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi through the QR code before downloading the profile information associated with the device.

      3. Set the SSID settings — Provide an SSID name. Then, select the type of connection security from the Security list. This type can be either None, WEP, or WPA/WPA2. Selecting None provides no Wi-Fi network security data within the generated QR code, and is not recommended for private networks. WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.

    3. Click Add to create the QR code. Click the newly created link on the Android Enterprise profile settings page to review the generated QR code for this profile page and, if necessary, edit or delete the QR code assigned to the enrollment profile.

    4. Once the QR code is generated, a QR code icon is displayed on the Profiles page, if enrollment was from the profile contained in the actual QR code. You can also use the QR code to trigger enrollment if the device is pre-assigned to a different profile from the console. However, in this case, the QR code icon isn’t displayed on the Profiles page.

  15. Configure the following Device settings:

    • Select Disable system applications to disable all system apps.

    • Select Leave all system apps enabled to enable all pre-installed system apps. If you don’t select this option, only a limited subset of default system apps (My Files, Contacts, and Play Store) are available in the app list. Systems apps can’t be installed or removed by the device user.

      When using Knox Mobile Enrollment with Knox Configure, leaving all system apps enabled may lead to conflicts with the Knox Configure profile.

    • (Optional) Add a Privacy Policy, EULAs and Terms of Service to enter a specific Agreement title and an Agreement text for the profile. Furthermore, click Samsung Knox Privacy Policy to review location-specific privacy policies for device users based on their geographic region.

    • Specify the EMM Company name displayed at the time of device enrollment.

    • (Optional) Edit Device enrollment screens to specify which screens are displayed during enrollment. By default, the setup wizard is hidden for both fully managed devices and company-owned devices with work profiles.

      For devices running Android 14, you can also optionally select Show the setup wizard after EMM enrollment on the Android Enterprise profile settings screen to display the Google Services screen, which lets you configure location settings, install app updates, send usage and diagnostic data, and so on. Supports company-owned devices with work profiles running Android 13 or higher, and fully managed devices running Android 14 or higher.

  16. Click Create to create the profile. Once created, you can review all the profile information on the Profiles page.

Clone a profile

You can clone an existing profile and then customize it as needed. To do so:

  1. Select the profile you’d like to clone. You can clone one profile at a time.

  2. Click Actions > Clone to edit > Confirm.

  3. Rename the clone to avoid a naming conflict with the source profile.

  4. (Optional) Override the clone’s settings, as needed.

    The Profiles page on the Knox Mobile Enrollment console uses cloned MSP profile to indicate that a profile is a clone of the corresponding Knox MSP Program profile.

Delete or clear profile(s)

You can permanently remove individual or bulk enrollment profiles from the console in one action.

You can’t delete profiles that are assigned to devices. To successfully delete a profile, assign a different profile to the devices.

To delete an individual existing profile:

  1. Go to the Profiles page and select the existing profile you’d like to delete.

  2. Click Delete profile.

  3. Click Delete to finish the deletion.

Profile QR code assignment

You can also begin enrolling your device with a QR code by making a plus sign (+) gesture on the initial setup screen on the device.

If a device is running Android 14 or higher, you can enroll it using a QR code on Wi-Fi networks that are behind a captive portal, regardless of whether these devices were previously reset.

To enroll using a captive portal on non-Knox devices running Android 14 or higher, you must first disable factory reset protection on them.

Review existing profile QR code assignments

To review which QR codes were assigned to which devices:

  1. Go to Profiles.

  2. Click the QR code associated with a Profile name.

  3. For QR code settings, choose whether to add a Wi-Fi network configuration to the QR code.

    • (Optional) Use a device MAC address will attempt to securely connect only known devices to your Wi-Fi network by using their MAC address.

    • (Optional) Select whether the Wi-Fi network is hidden. Doing so enables the QR code to connect the device to a Wi-Fi access point with a hidden SSID. You can still view and print the SSID when in read-only mode. Turned off by default.

  4. Click Download to archive the QR code configuration.

  5. Click Print to print the QR code.

  6. Click OK to close the QR code for this profile page and return to the Profiles page.

On this page

Is this page helpful?