Back to top
Home / Knox Mobile Enrollment / Knox Mobile Enrollment Direct / Get started /

Setup and config for admins

Last updated May 9th, 2024

Just like Knox Mobile Enrollment cloud, Knox Mobile Enrollment Direct helps you configure Android settings and behavior when your devices are enrolled in EMMs.

You can assign enrollment profiles to your devices, as well as customize these profiles according to their real-world application. For instance, you could create a profile for different teams in your organization, such as a profile for customer support representatives, another for managers, and yet another for executives. Each profile would customize each group’s devices according to their needs. Profiles can include security restrictions aimed at safeguarding critical data, such as disabling high-bandwidth video streaming, automatic app updates, or wiping sensitive data if the device is lost or stolen.

Access the Knox Mobile Enrollment Direct app

To access the Knox Mobile Enrollment Direct app:

  1. Sign in to your Samsung Knox account. If you don’t have a Samsung account yet, you must create one.

  2. On the Knox Admin Portal, go to Knox Mobile Enrollment Direct and click Get started.

  3. Download the latest version of the Knox Mobile Enrollment Direct PC app.

Download and install the Knox Mobile Enrollment Direct app

To download and install the Knox Mobile Enrollment Direct PC app on your local computer:

  1. On a Windows PC that meets the minimum requirements, sign in to your Samsung Knox account.

  2. Download and run the latest version of the app from the Knox Mobile Enrollment (KME) Direct download page.

  3. Read and review the license agreement. If you agree to the terms of the agreement, click Next.

  4. When prompted, create your passcode. You must supply this passcode every time you use the app. Passcodes must:

    • Contain 4-12 characters

    • Contain numbers

    • Use a mix of uppercase and lowercase letters, and

    • Include one or more special characters, which are !, @, #, $, %, ^, &, or *.

    Once you successfully create a passcode, click Next.

  5. Safely preserve the recovery key the installer displays and use it to reset the passcode in case you forget it. Then, click Next.

  6. Copy the activation request key the installer displays. Then, go back to the Knox Mobile Enrollment Direct download page and paste this key into the Step 2: Activation request key field.

  7. Click Generate to generate the activation request key.

  8. Paste the activation request key in the license activation key field on the installer.

  9. Choose where you’d like to install the app and click Start Installation.

Once installation is complete, click Launch to close the installer, launch the Knox Mobile Enrollment Direct app, and configure the app settings.

Configure app settings

The first time you launch the Knox Mobile Enrollment Direct PC app:

  1. Enter your Knox Mobile Enrollment Direct passcode and click OK.

  2. Click Browse and select a Shared folder path where the XML files for device configuration will be stored.

  3. Select either the Built-in relay server or configure a Local server (advanced). Selecting the built-in relay server auto-populates the:

    • URI of the relay server
    • port number of the server

    If you choose your own local server, provide the Local server URI for a Device configuration profile.

  4. Click Start to start the configured relay server.

  5. Initiate Enrollment QR code creation to use one or more QR codes to enroll your devices. Depending on how you configure profiles, the encrypted QR code string might split into multiple QR codes, which you can scan in one the following scanning orders:

    • Multiple QR codes in order (Android 11 or higher, Knox 3.7 or higher)

    • Multiple QR codes in any order (Android 12 or higher, Knox 3.8 or higher)

    • Minimized single QR code (Android 13 or higher, Knox 3.9 or higher)

    • Minimized single QR code with hiding passwords (for Android 14 or higher) that also secures the Wi-Fi SSID, password, and custom profile data in the QR code by hashing it.

  6. Once done, click Save & Close.

Additionally, you can click the gear gear-icon to open the Settings dialog anytime you’d like to modify the existing app settings.

Knox Mobile Enrollment Direct profiles

The PC app lets you create two types of profiles:

  • A Configuration profile lets you customize device settings such as display, sounds, key mappings, and more. See how you can create configuration profiles.

    • Expert mode — Device configuration profiles in Expert mode allow you to directly extract, configure, and upload the XML files for device configurations derived from the Knox Service Plugin schema. Expert mode relies on the Java Runtime Environment (JRE) to unpack the Knox Service Plugin APK file and extract the configuration file. Therefore, JRE 1.8 is necessary for Expert mode to function correctly.

  • A Deployment profile helps you configure settings related to enrolling devices, installing apps, and applying configuration profiles during initial device setup. Learn how you can create device deployment profiles.

These profiles generate either XML files or QR codes that you can share with your users so they can self-provision their devices.

Create configuration profiles

The device user can manually change these settings on the device once the device is configured.

To create a device configuration profile:

  1. On the Profiles screen, click Create profile.

  2. Select Configuration profile.

    • Expert mode — Device configuration profiles in Expert mode allow you to directly extract, configure, and upload device configuration XML files based on the Knox Service Plugin schema.

  3. On the Profile details screen, enter a Profile name and click Continue.

  4. (Optional) Configure the device’s display settings:

    • Screen timeout settings — Select the duration of device inactivity after which its screen would timeout.

    • Brightness — Set the brightness of the device and whether it should use adaptive brightness, which automatically adjusts the device brightness based on external lighting.

    • Font settings — Set the default font size to use for the device.

    • Touch sensitivity settings — Increase the touch sensitivity of the screen in special cases, such as while wearing gloves when a device has a thick screen protector.

  5. (Optional) On the Key configuration screen, configure the button order and outcomes of key presses:

    These settings are supported only for fully managed devices.

    • Navigation bar settings — Select the format and order of the app icons on the Navigation bar, for example Recent > Home > Back or Back > Home > Recent.

    • XCover/Active key settings — Select what happens when the device user presses the XCover key. You could either launch an app, broadcast system intent (Samsung intent or a custom intent), or open MS Teams.

    • Top key settings — Select what happens when the device user presses the top key. You could either launch an app or broadcast system intent (Samsung intent or a custom intent).

    • Side key settings — Select what happens when the device user presses the side key. You could either launch an app or broadcast system intent (Samsung intent or a custom intent).

  6. (Optional) On the General configuration screen:

    • NFC — Enables the use of Near-field communication on the device.

    • Wi-Fi blocklist — Specifies the SSIDs of Wi-Fi access points that are blocked and devices must not connect to. To add new blocked SSIDs, turn on the Wi-Fi blocklist and click Add SSID.

    • Sound — Specifies whether to selectively control the device’s volume.

    • System language and location — Sets the device’s language and location. These settings control the local timezone and language shown on the device.

    • DualDAR — Turn on this setting to configure DualDAR, a data-at-rest security solution that secures data on the device through two layers of encryption. Select either Device owner or Work profile on company-owned device. Then, configure other settings such as data lock timeout, restricting access to device encrypted (DE) storage, and allowlisting specific apps to access DE storage and run in a data-locked state.

    A DualDAR license is required to use this feature. Any devices assigned to a DualDAR-enabled profile without a license are locked. Contact your reseller to purchase a license.

  7. (Optional) On the Mobile network configuration screen:

    • Mobile data roaming — Turn device roaming on or off, including voice, text, or mobile data.

    • APN configurations — Set APN configurations:

      APN configurations are supported only on fully managed devices and not on company-owned devices with work profiles.

      • Name — Specify the name of your APN configuration for easy reference.

      • APN (Access Point Name) — Specify the endpoint for your APN. For example, enterprise.telco.com. You can get this value from your mobile operator.

      • Set as a preferred APN — Allows you to set this APN as a preferred APN.

      • MCC (Mobile Country Code) — Enter the MCC for your APN that uniquely identifies your mobile network operator, for example, 720. You can get this value from your mobile operator.

      • Authentication type — Set the user authentication protocol. Select either None, PAP, CHAP, PAPAut or CHAP.

      • APN types — Denotes the type of data that will be transferred over the APN, which you can also get from your mobile operator.

      • APN protocol — Select the protocol to send data packets, for example IPv4 or IPv6. Select either IPv4 only, IPv6 only, or IPv4 or IP6.

      • APN roaming protocol — Select the protocol to send data packets while roaming, for example IPv4 or IPv6. Select either IPv4 only, IPv6 only, or IPv4 or IP6.

      • MMS details — Specify the MMS configuration details for the APN, such as MMSC, MMS proxy, and MMS port.

      • Advanced APN configuration — Turn this switch on if you’d like to specify advanced parameters of your APN configuration, such as the server, proxy, port, and user credentials.

      • Mobile virtual network operator (MVNO) — Turn this switch on to customize the MVNO configuration on the device.

        Available on devices running Knox v3.2.1 or higher.

      • Add APN configuration — Add up to a maximum of 20 additional APN configurations and set the aforementioned configurations for each of these APNs you add.

  8. Use the Summary screen to review and confirm all your settings and then click Generate XML/QR code to generate an XML file. Doing so generates a QR code which is saved and uploaded as an XML file on to the relay server that you configured in the app settings. This XML file allows the Knox Service Plugin agent to push this profile to your target devices.

  9. Finally, click Generate QR code > Download to download the QR code. Scanning the QR code lets you push this profile to your target devices.

Create deployment profiles

To create a device deployment profile:

  1. On the Profiles screen, click Create Profile.

  2. On the Profile details screen, enter the following information:

    • Profile name — Enter an appropriate profile name.

    • Organization name — Enter the name of the organization or business unit that the device user belongs to. Consider using different organization names to differentiate the disparate profiles you can push to different devices.

    • (Optional) Description — Enter a description for the profile.

  3. Configure the Wi-Fi network connection:

    • Skip this step, no Wi-Fi setup needed — Turn on this switch to skip using a Wi-Fi.

    • Set up Wi-Fi — Configure the following Wi-Fi attributes:

      • SSID name — Enter the name or the SSID of the Wi-Fi access point.

      • Wi-Fi MAC address randomization — Whenever the device connects to the Wi-Fi network, the router can assign a randomized MAC address to it, preventing malicious security threats.

      • Proxy — Select either Proxy auto-config(PAC) or None as the Wi-Fi proxy. You must provide the PAC web address if you select it as a proxy.

      • Security — Select the wireless security standard and enter a password. Contact your network admin that manages the Wi-Fi network for more details.

  4. (Optional) Captive Portal Mode — Turn on Captive portal mode (off by default) to control the detection of captive portals. Doing so skips network connection validation when you enroll devices running Android 14 or higher with Knox 3.10 in fully-managed mode. You can set the Capture portal mode to function in one of the two following ways:

    • Don’t attempt to detect captive portals — Captive portals are ignored during enrollment. Used for Android Enterprise enrollment in closed networks by default.

    • If detected, prompts the user to sign in — When a captive portal is detected, a notification prompts the device user to sign in.

    To apply this feature, the device user must reboot their device, then scan the QR code using a plus sign (+) gesture again.

  5. (Optional) Set the terms of the Legal agreement, including scenarios where the location, organization, or other properties of the target device necessitate a custom privacy policy, legal agreement URI, or terms of service:

    • Title — Specify the name of the legal agreement applicable to the device.

    • Legal agreement URI — Provide the URI of the custom legal agreement or terms of service applicable to the device.

  6. Configure the following Android Enterprise profile settings on the Android Enterprise enrollment screen:

    • EMM provider — Select an EMM provider used to manage the target device.

    • EMM agent URI — Enter the URI of the location that hosts the EMM client APK.

    • EMM agent’s receiver component name — Enter a name for the admin package deployed to the device. The admin package component name must follow the package name/class name format. For more information, see the Knox Mobile Enrollment documentation.

    • EMM agent signature checksum — Enter the value of the admin package’s signature checksum. The admin package signature checksum is the Base64-encoded SHA-256 hash of the EMM APK signature. Contact your EMM for these details. Additionally, check the Android developer documentation > DevicePolicyManager#EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM.

      Alternatively, you can use utilities such as Keytool on Linux to get this value. See How do I get the signature checksum of my APK? on StackOverflow for additional information about Keytool.

    • (Optional) EMM server URI — Enter the URI of the EMM server for the target devices to connect to.

    • (Optional) Custom JSON Data (as defined by EMM) — Enter the custom data in JSON format that is sent to the EMM agent. Usually, this information is the ID and password for the EMM agent to login to the EMM server. For example, {“gid”:“mygid”,“un”:“myusername”,“pw”:“mypassword”}. Contact your EMM for more information.

    • (Optional) DualDAR — Turn the DualDAR switch on to configure DualDAR, a data-at-rest security solution that secures data on the device through two layers of encryption. You can also select both Use 3rd party crypto application and Add package and signature to enter the package name, URL, and signature of a third-party crypto app for customizing the second layer of encryption. Click Save to record the changes to DualDAR settings.

      A DualDAR license is required for this feature. Any devices assigned to a DualDAR-enabled profile without a license are locked. Contact your reseller to purchase a license.

    • (Optional) Root or intermediate certificate — Click Upload to upload a root certificate. You can deploy up to five certificates.

    • (Optional) Device enrollment screens — Skip enrollment screens during device setup and simplify device enrollment, depending on the Android version:

      Android version Which screens can you skip?
      Android 13 or higher Skip all Android Enterprise setup screens.
      Android 14 or higher Skip setup wizard after EMM enrollment.

  7. (Optional) On the Additional deployment options screen:

    • Device configuration — Denotes the location of your relay server that stores the XML file of a configuration profile and the Knox Service Plugin agent. This URI can start with http:// or https://.

      • URI for Device configuration profile (XML file) — Select the configuration profile and populate the associated URI of its XML file.

        You can configure this setting either for an existing configuration profile, or apply it after you create a new configuration profile.

      • URI for the Knox Service Plugin (KSP) agent (APK file) — Set the URI of the Knox Service Plugin APK agent that the target devices would download.

    • Knox Enrollment Service agent update — Update the Knox Enrollment Service agent from a locally-hosted relay server within closed network environments. This ensures that new features can be supported whenever the updated Knox Enrollment Service agent is released, without waiting for OS upgrades.

    • System applications — Select Leave all system apps enabled to ensure that all pre-installed system apps are enabled and available to the profile even in closed networks. If another value is selected, only a limited set of default system apps such as My Files, Contacts, and Google Play Store is available in the device’s apps tray. Systems apps can’t be installed or removed by the device user.

      • System apps are disabled by default.
      • When using Knox Mobile Enrollment with Knox Configure, disabling system apps may lead to conflicts with Knox Configure.

    • Additional applications — Deploy up to 10 additional apps on to the target device by providing their package name, signature checksum, and download URI.

  8. Use the Summary screen to review and confirm all your settings and click Generate QR code to generate the QR code. Multiple QR codes, if applicable, are generated in order, but can be scanned based on the scanning order you selected in your app settings. You can then share these QR codes with the device users of the target devices, who then use the codes to set up the devices.

Manage existing profiles

In addition to creating new profiles, IT admins can manage existing from the Profiles screen. Once IT admins create one or more profiles, they are listed on the Profiles screen. From this screen, they can modify or delete profiles.

Modify existing profiles

To make changes to an existing profile:

  1. On the Profiles screen on the Knox Mobile Enrollment Direct app, select the profile you want to modify.

  2. On the side panel, expand the particular setting you’d like to edit and click Edit. Modify the setting, then click Save.

  3. Download the updated QR code or XML file from the QR code generated section. Share the updated QR code or XML file with the device users of the target devices.

Delete profiles

To delete an existing profile:

  1. On the Profiles screen of the Knox Mobile Enrollment Direct app, select the profile you’d like to delete.

  2. Click Delete Profile.

The target devices to which the profile was previously pushed remain unchanged, since there is no communication between the desktop app and the target devices.

On this page

Is this page helpful?