Invite and manage admins

This topic describes how to invite and manage admins, as well as assign the required roles and permissions needed to complete an admin invitation. For an overview of role-based access control and how it impacts an administrator invitation, go to: Role-based access control.

Invite and manage admins

Only selected and approved IT admins can enroll devices on behalf of customers.

Invite IT admins from within the Knox Mobile Enrollment portal as needed, and assign them unique enrollment services and permissions. When an admin supporting multiple services applies to KME, they must be approved by an existing KME Samsung Admin, regardless of other existing services the applicant admin may already support.

  1. Select Administrator & Roles from the left-hand navigation menu. Ensure the ADMINISTRATORS tab is selected.
  2. Select INVITE ADMINISTRATOR from the upper, right-hand side of the screen.

NOTE — A different Invite administrator screen could display stating that before an administrator can be invited a role must be first created and available for assignment. Ensure appropriate roles and permissions are created and available before proceeding with an administrator invitation. If a role is required, proceed to step 3. Otherwise, proceed to step 4.
  1. If a role is required to complete an administrator invitation, select the ROLES tab from the top of the Administrators & Roles screen, then select the CREATE ROLE button.
NOTE — Most permission categories within the Create role screen have a View only option that only permit an admin with this role to view items with no configuration, device or reseller administration permitted. New roles have the view only permission enabled by default. Existing roles that inherit a View only permission have it turned off by default, to prevent issues.

If creating a role for a pending administrator invitation, provide the required Role name and an optional Description. Refer to the Permissions portion of the screen and enable then select additional permissions by category as required beyond the basic permissions assigned by default. The Invite and manage administrators permission can only be assigned by an administrator that themselves has that specific permission enabled. A Super Admin or an Admin with Admins' permissions can invite an admin belonging to a different service to a role in their service. Select the SAVE button to continue.

If the user does not have the Assign with profile and manage tags permission enabled, all MDM profile options, except for Clear profile, will be disabled within the Configure devices pop (available from the ACTIONS drop-down menu within the Devices > UPLOADS screen).

NOTE — Enable Allow access to Knox Deployment Application to use the Knox Deployment App (KDA) exclusively for device enrollment into KME, without the use of the KME console. When relying on the KDA without the KME console an admin must login to the KDA, choose a service (KME, KC, KG, etc.), select a profile, pair the primary/admin device with a target device, and assign the profile to the target device. For more information on using the KDA, go to: Knox Deployment App (KDA).
  1. Provide the following to complete an administrator invitation:

  • First name — Provide the first name of the administrator resource.
  • Last name — Provide the last name of the administrator resource.
  • Email — If this email is not already associated with a Samsung Account, the user will have to create a Samsung Account before logging into Knox Mobile Enrollment. The creation of a Samsung account is required before an administrative account can be created. Samsung Knox does not support personal email addresses for new Knox account requests that have not been registered as a Samsung account. If the administrator's email is already associated with an active account, the invitation will fail with an error. Contact Knox Support for assistance in resolving the error.
  • Role — Use the drop-down menu to assign this new administrator a role appropriate to their intended administrative function. If unsure about the exact permissions of an available role, select View Role Details to review the scope of its available permissions. The Role drop-down menu is customized for role assignments based on the administrator creating the invite. Roles cannot be deleted when there is at least one administrator using the role. An administrator must be assigned a different role to ensure no existing admins using the role before it can be deleted.
NOTE — Roles in a pending, revoked or blocked state can be optionally deleted by selecting the ROLE NAME within the Administrators & Roles screen. To delete the role, navigate to the bottom of the Edit role screen and select the DELETE button. However, a role cannot be deleted if there are still active users assigned to the role. A Delete role screen displays when a role re-assignment is required for a deletion. Select the VIEW ADMINISTRATOR button and return to the ROLES tab to review the administrators currently assigned this role. Administrators must be assigned to a different role to permit the role deletion.

NOTE — Existing administrators without a Create and manage roles permission can only invite admins with a matching set of their own permissions.
  1. Select the INVITE button when completed. The newly added, but pending, administrator displays as a link that can be selected to edit the administrator name and role designation. If editing the administrator's profile, select the SAVE button to commit the additional updates.

KME admins do not always want to see blocked or revoked admins within the Administrators & Roles screen. Blocked and revoked admins can be displayed or filtered out at any using the Show blocked and revoked administrators checkbox. The checkbox setting is persistent when logging in and out of the KME console.