Configure standard settings
Last updated November 22nd, 2024
You can use Knox Mobile Enrollment profiles to define the EMM your device enrolls into, how the device gets enrolled, and what the devices can do during and after enrollment.
With Knox Mobile Enrollment profiles, you can easily enroll either fully managed or work profile Android Enterprise devices into your EMM solution.
To create a profile:
- Sign in to the Knox Admin Portal using your Samsung account credentials.
- Click Profiles on the left navigation pane of the Knox Mobile Enrollment console.
- On the Profiles page, click ACTIONS > Create profile.
There are four main steps involved in creating a profile.
Fields marked with a *
symbol are required.
Step 1: Basic profile information
On the Basic profile information page, enter the following information:
-
Profile name
*
— A unique name to help differentiate your profiles.When creating a profile within the console, the following characters aren’t allowed:
\ # / $ * % ^ & \ ( ) + ? { } [ ]
-
Description — A short description to help you remember the purpose of the profile.
-
Company name
*
— Your organization’s name, which is be displayed on the device during enrollment. -
Support email
*
— The email address displayed on the device during enrollment, which users can contact in case they need assistance. -
Support phone number
*
— The phone number displayed on the device during enrollment, which users can contact in case they need assistance.Your support contact information will be auto-populated if you’ve previously set a default email and phone number. To learn how to set default contact information, see Provide device user support.
Once you’ve filled out the required fields, click CONTINUE.
Step 2: EMM information
-
Select the EMM solution you’ll be enrolling your devices into from the Pick your EMM drop-down menu.
The list of EMMs is ordered alphabetically, with EMMs approved by the Knox Validated Program displayed at the top. You can filter the list by searching for your EMMs name in the drop-down menu.
See Knox partner solutions for all EMMs that Knox Mobile Enrollment currently supports.
If you don’t see your EMM solution listed in the drop-down menu, select Other.
-
The EMM agent APK field will be auto-populated when you select a supported EMM from the drop-down menu.
If you selected Other, manually enter the EMM agent APK to allow the EMM application to be downloaded automatically during device enrollment.
-
If your organization’s EMM is privately hosted from within a local intranet, select This EMM APK is privately hosted on an intranet server and enter the following information:
-
Admin component name
*
—This is displayed as package name/class name. -
Admin package signature checksum
*
— The URL-safe, base64 encoded SHA-256 hash of the EMM APK signature. You can get this value from your EMM.See Android Device admin signature checksum for more information. Alternatively, you can use the Keytool utility on Linux to get the signature checksum value.
-
EMM app name
*
—The name displayed on the Managed Provisioning page. -
App icon
*
— Click UPLOAD ICON to select an icon to be displayed next to the EMM app name. The image must be at least 48x48 pixels in PNG format, and up to 1MB in size.
-
-
If required by your EMM provider, select Specify an EMM server URI. Enter the server address in the field below then ensure you are allowed to connect to the URI, since it may be firewall-protected or unavailable on public networks.
Once you’ve filled out the required fields, click CONTINUE.
Step 3: Configure device settings
The following Standard settings are optional features you can add to your profile to customize what the devices can do during and after enrollment.
DPC extras
Your EMM provider may require you to specify custom JSON configurations for the Device Policy Controller (DPC) app during enrollment.
For example, for if you’re using Knox Manage as your EMM provider, your JSON data entry may look like this:
{
"tenantId": "knoxteam.samsung.com",
"tenantType": "M"
}
To configure additional parameters to automatically enroll the device in a particular mode, your JSON data entry may look like this:
{
"tenantId": "knoxteam.samsung.com",
"AllowModifyUserId": "Disallow",
"Mode": "DO"
}
Consult your EMM provider to obtain the configurations as the format may differ.
QR code enrollment
-
Click Add QR Code to allow device users to enroll into an EMM with this profile by scanning a QR code. This feature is supported on devices running Android 10 or higher.
-
If you want to enable this setting for devices not uploaded by a reseller, select Also allow QR enrollment for devices not uploaded by a reseller.
-
Under QR code settings, set whether to add Wi-Fi to the QR code by selecting one of the following options:
-
Select No Wi-Fi network configuration to create a QR code with no network data. Device end users will have to manually connect to Wi-Fi.
-
Select Add Wi-Fi network configuration to QR code to include security data and proxy traffic gateway information within the generated QR code content.
-
Select Use device MAC address to include the factory-encoded hardware MAC address within the QR code’s Wi-Fi MAC address. Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi through the QR code before downloading the profile information associated with the device.
-
Select W-Fi network is hidden to enable the QR code to connect the device to a Wi-Fi access point with a hidden SSID. You can still view and print the SSID when in read-only mode. Turned off by default.
-
Enter a SSID Name
*
for the Wi-Fi network. -
Select a Security protocol to protect the Wi-Fi network. Options include None, WEP, or WPA/WPA2.
If you selected WEP or WPA/WPA2, enter an optional password. WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.
Selecting None provides no Wi-Fi network security data within the generated QR code, and is not recommended for private networks.
-
-
-
Once all of the required fields are filled, click ADD to generate the QR code. To save the QR code for future use, select Download or Print.
System apps
System apps are pre-installed on a device as part of the operating system. Select whether device users can access these apps upon enrollment.
-
Select Enable system apps to allow device users to access pre-installed apps upon enrollment.
-
Select Disable system apps to hide pre-installed apps upon enrollment. When you enable this option, only certain default system apps (My Files, Contacts, and Play Store) will be available in the app list. These apps can’t be installed or removed by the device user.
When using Knox Mobile Enrollment with Knox Configure, enabling system apps may lead to conflicts with the Knox Configure profile.
Enrollment screens
Enrollment screens are a series of steps device users follow to set up a device. By default, these screens are skipped to streamline device enrollment.
However, you can choose to:
-
Show all Android Enterprise setup screens, including the screens that can be skipped in Android 12 and higher, and
-
Show setup wizard after EMM enrollment. Not applicable for Android 15 and higher.
The option to show the setup wizard is supported on company-owned devices with work profiles running Android 13, and both fully managed and company-owned devices with a work profile running Android 14.
Devices running Android 15 and higher will always show the setup wizard during device enrollment. The Google Services screen is included in the series of setup wizard steps and allows device users to configure location settings, install app updates, send usage and diagnostic data, and much more.
Privacy Policy
You can add up to three of your organization’s legal agreements to display to end users during device enrollment.
To add an agreement:
- Click Add legal agreement.
- Enter an Agreement Title.
- Enter the Agreement Text.
- Click ADD.
To edit a legal agreement, click the agreement title.
Root or intermediate certificate
Click Choose File to upload a root/intermediate certificate that will be installed on devices during device enrollment. This feature is available on devices running Android 9 or later. Only certificates with CER, PEM, CRT, DER, and CA-bundle file types are supported.
DualDAR
The Samsung Knox DualDAR solution provides two separate layers of encryption and key generation.
To double-encrypt your device’s data, select Enable DualDAR, then click ENABLE to confirm you have a Knox Platform for Enterprise DualDAR license. If you don’t have one, and would like to use DualDAR, contact your reseller.
To allow an independent third party to install a separate cryptographic module:
- Select Use 3rd party crypto application.
- Click Add package and signature and enter the Package Name, Package URL, and Signature of the 3rd party crypto application.
- Click OK when done.
Advanced settings
If you want your profile to include optional features like device lock or have up to three apps installed during enrollment, enable the Advanced settings toggle. If your profile doesn’t require these options, click CONTINUE.
Step 4: Review
The final step is to review your profile to ensure all information is correct. You can click a settings on the left navigation pane to edit that section. Once reviewed, click CREATE. Your newly created profile will be displayed in the Profiles table.
On this page
Is this page helpful?