Android Enterprise profiles

Knox Mobile Enrollment lets you create, assign, and manage Android Enterprise profiles that are either fully managed or work profiles on company-owned devices running Android 11 or higher.

Before you can enroll devices, you need to create a profile or edit an existing profile. Additionally, there are no limits to the number of profiles you can create and assign to devices.

Create a profile

To create an Android Enterprise profile:

1. On the Profiles page, click Create profile.

2. Select Android Enterprise as the profile type.

   

3. Enter a Profile name.

4. (Optional) Enter a description, containing up to 200 characters.

5. Select an EMM. See Knox partner solutions for a list of EMMs that Knox Mobile Enrollment supports. If you select Other, manually enter the EMM agent APK. This APK lets you add one or more EMM apps that’ll be downloaded automatically upon device enrollment. To use this APK resource from within a local intranet, check This EMM APK is locally hosted on an intranet server.

6. If the EMM APK is locally hosted, you must configure Publicly available EMM APKs — the URL of a publicly accessible version of the same EMM APK you are hosting within your enterprise intranet.

7. If the EMM APK isn’t locally hosted, you must configure Privately available EMM APKs — this information is used for validation during device enrollment and display on the Managed Provisioning page. You’ll need to provide the following information:

   • Admin component page — This is displayed as package name/class name.

   • Admin package signature checksum — This is the Base64 encoded SHA-256 hash of the EMM APK signature, which is URL friendly. You can get this value from your EMM. See the Android Device admin signature checksum documentation for more information. Alternatively, you can use the Keytool utility on Linux to get the signature checksum value.

   • EMM app name — This is the name of the app displayed on the Managed Provisioning page.

   • App icon — This icon is displayed next to the EMM app name. The minimum size is 48 X 48 pixels in PNG file format.

8. Enter the EMM server URI. This URI points to the EMM’s installation portal for downloading specific EMM configurations. Verify you can connect to the EMM, since it may be firewall-protected or unavailable on public networks.

9. Click Continue to set the Android Enterprise profile settings.

   

10. (Optional) Provide Custom JSON Data (as defined by EMM) to set up the EMM. Contact your EMM’s vendor to obtain their JSON template and enterprise-specific settings.

11. (Optional) Specify a root/intermediate certificate that will be installed on devices during device enrollment. Only certificates with .cer, .pem, .crt, .der and .ca-bundle file types are supported. This feature is available on devices running Android 9 or later.

12. (Optional) Enable DualDAR to secure the enrollment data with two layers of encryption. Once enabled, optionally check Use 3rd party crypto app and add the package name, package URL, and signature for use with a third-party crypto app. Click Save when finished.

    Note

    You must have a Knox DualDAR license which you can purchase from Knox license resellers. See DualDAR overview for more information.

13. Click Add a QR code to enroll devices with a QR code.

    Note

    QR-code-based enrollment is supported on devices running Android 10 or higher.

14. Set the QR code settings:

    1. You can allow QR code enrollment for devices not uploaded by a reseller.

    2. Set whether Wi-Fi data is added to the QR code data by selecting one of the following options:

       1. Select No Wi-Fi network configuration to create a QR code with no network data.

       2. Select Add Wi-Fi network configuration to QR code to include security data and proxy traffic gateway information within the generated QR code content. Optionally check Use device MAC address to include the factory-encoded hardware MAC address within the QR code’s Wi-Fi MAC address. Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi through the QR code before downloading the profile information associated with the device.

       3. Set the SSID settings — Provide an SSID name. Then, select the type of connection security from the Security list. This type can be either None, WEP, or WPA/WPA2. Selecting None provides no Wi-Fi network security data within the generated QR code, and is not recommended for private networks. WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.

    3. Click Add to create the QR code. Click the newly created link on the Android Enterprise profile settings page to review the generated QR code for this profile page and, if necessary, edit or delete the QR code assigned to the enrollment profile.

    4. Once the QR code is generated, a QR code icon is displayed on the Profiles page, if enrollment was from the profile contained in the actual QR code. You can also use the QR code to trigger enrollment if the device is pre-assigned to a different profile from the console. However, in this case, the QR code icon isn’t displayed on the Profiles page.

15. Configure the following Device settings:

    • Disable system applications to disable all system apps and make them unavailable to the fully managed profile.

    • Leave all system apps enabled to enable all pre-installed system apps and make them available to the profile. If you don’t select this option, only a limited set of default system apps (My Files, Contacts, Google Play Store) display in the device’s apps tray. Systems apps can’t be installed or removed by the device user.

      Note

      When using Knox Mobile Enrollment with Knox Configure, leaving all system apps enabled may lead to conflicts with Knox Configure.

    • Add Privacy Policy, EULAs and Terms of Service to enter specific Agreement title and Agreement text for the profile. Furthermore, click the Samsung Knox Privacy Policy link to review specific privacy policies for device users, based on their geographic region.

    • Specify the EMM company name displayed at the time of device enrollment.

    • Edit enrollment screens to specify which screens are displayed during enrollment. By default, the setup wizard is hidden for both fully managed devices and work profiles on company-owned devices.

16. Click Create to create the profile. Once created, you can review all the profile information on the Profiles page.

    Note

    The Profiles page on the Knox Mobile Enrollment console uses to indicate that a profile is a clone of the corresponding Knox MSP Program profile. For more information, see how you can manage profiles on the Knox MSP console

Delete or clear profile(s)

You can permanently remove individual or bulk enrollment profiles from the console in one action.

To delete an individual existing profile:

1. Go to the Profiles page and select the existing profile you’d like to delete.

2. Click Delete profile.

3. Click Delete to finish the deletion.

Profile QR code assignment

You can also begin a enrolling your devices with a QR code by using a screen gesture.

Review existing profile QR code assignments

To review existing device QR code assignments:

1. On the console, click Profiles.

2. Click the QR code associated with a Profile name.

   

3. Select Wi-Fi network configuration to automatically connect to this Wi-Fi network using a randomized device MAC address.

4. Click Download to archive the QR code configuration.

5. Click Print to print the QR code.

6. Click OK to close the QR code for this profile page and return to the Profiles page.