Back to top
Home / Knox Mobile Enrollment / Knox Mobile Enrollment Direct / Get started /

Setup and config for admins

Last updated October 30th, 2023

Knox Mobile Enrollment Direct, just like KME, enables IT administrators to create device configuration profiles that device users can use to set up and configure their enterprise devices.

We recommend that the IT admin create a new device configuration profile for each type of employee or their role. Some examples of different employee roles are: HR generalist, Technical or Customer Support representative, and teacher or medical professional. Creating a new profile for each role ensures that the devices are sufficiently customized for all activities required for the employee to perform their jobs. This customized profile also includes the appropriate security restrictions to safeguard the enterprise’s data, such as disabling high-bandwidth video streaming or automatic app updates and wiping company data if a device is lost or stolen.

Access the Knox Mobile Enrollment Direct app

Samsung Resellers or enterprise IT admins with authorized Samsung Accounts can access the Knox Mobile Enrollment Direct app from the Knox Mobile Enrollment Direct download page on SamsungKnox.com.

To get access to Knox Mobile Enrollment Direct, do as follows:

  1. Create a Samsung Account. For more information on how to create your Samsung Account, see Create your Samsung account.

  2. Go to the Knox Mobile Enrollment Direct page and click the Knox Mobile Enrollment Direct installer.

  3. Continue to download and install the Knox Mobile Enrollment Direct app.

Download and install the Knox Mobile Enrollment Direct app

Once your access is approved, do as follows to download and install the Knox Mobile Enrollment Direct PC app to your local computer:

  1. From a Windows computer that meets the minimum system requirements, sign in to your Samsung Knox account. Then, go to the Knox Mobile Enrollment Direct download page.

  2. Double-click the Knox Mobile Enrollment Direct installer to open the installer and start the installation process.

  3. Read and review the License Agreement. If you agree to the terms of the agreement, click Next.

  4. When prompted, create your passcode, and then click Next. This passcode is saved to your local drive and you must use it whenever you use the Knox Mobile Enrollment Direct app again. Choose a passcode that meets the following minimum requirements:

    • Between 4 and 12 characters

    • Includes numerals

    • Uses a mix of upper and lowercase letters

    • Includes one or more of these special characters: !, @, #, $, %, ^, &, or *.

  5. On this screen, you can create and download your recovery key to your local drive. To download the recovery key, do as follows:

    1. In the Recovery key field, click copy to copy the key to your clipboard.

    2. Paste the key you copied into a text editor, like Notepad.

    3. Save the file to your local storage. We recommend giving the file a meaningful name, such as Knox Mobile Enrollment Direct Recovery Key.

    This recovery key is the crucial component to resetting your Knox Mobile Enrollment Direct app password. If you forget your Knox Mobile Enrollment Direct app password, you can use this recovery key to reset it. Once you save your recovery key, click Next to continue.

  6. By default, the Knox Mobile Enrollment Direct installer generates an activation request key.

  7. Use the activation request key to generate the license activation key:

    1. In the installer, click copy to copy the activation request key to the clipboard.

    2. Click My Knox page to navigate to the Knox Admin Portal.

    3. Sign in. The Knox Mobile Enrollment Direct page opens.

    4. Paste the activation request key and click Generate to generate the license activation key.

  8. Click copy to copy the license activation key, then paste it into the installer.

  9. Click Start Installation.

  10. Select a destination on your file system to install Knox Mobile Enrollment Direct, then click Start Installation.

On the confirmation screen that opens, click Launch to close the installer and open the Knox Mobile Enrollment Direct app. Once you’ve successfully installed the app to your computer, you can now launch the Knox Mobile Enrollment Direct app.

Launch the Knox Mobile Enrollment Direct app

To open the Knox Mobile Enrollment Direct app, do as follows:

  1. On your local computer, navigate to the location where you installed your Knox Mobile Enrollment Direct app, and double-click the Knox Mobile Enrollment Direct installer file to open it. Alternatively, navigate to your desktop, and double-click the Knox Mobile Enrollment Direct desktop shortcut.

  2. When prompted, enter the Knox Mobile Enrollment Direct passcode that you created during installation, and click OK . The Profiles screen opens.

  3. From this screen, you can now create new profiles as well as modify and delete existing profiles.

  4. In the upper right-hand corner, click the gear to open the Settings popup. From here, you can choose between Built-in relay server or Local server (advanced). If you select built-in server, then the Shared folder, URI, and Port fields are auto-populated based on your current IP address. If you select local server, fill out the Local server URI for a Device Configuration profile field. Then, click the Browse button. In the file explorer, select a location and click OK to fill the PC location to save XML file field.

  5. Under Enrollment QR code creation , select one of the following scanning orders to scan multiple QR codes:

    • Multiple QR codes in order (Android 11 or higher, Knox 3.7 or higher)

    • Multiple QR codes in any order (Android 12 or higher, Knox 3.8 or higher)

    • Minimized single QR code (Android 13 or higher, Knox 3.9 or higher)

    • Minimized single QR code with hiding passwords (for Android 14 or higher) to secure the Wi-Fi SSID, password, and custom profile data in the QR code by hashing it.

  6. Save & Close.

Create new profiles

Currently, IT admins can use Knox Mobile Enrollment Direct to create two types of profiles:

  • Configuration profile containing settings for customizing device settings such as display, sounds, key mapping, and other general settings. Learn how to create device configuration profiles.

    • Expert mode — Device configuration profiles in Expert mode allow you to directly extract, configure, and upload device configuration XML files derived from the Knox Service Plugin schema. Expert mode relies on the Java Runtime Environment (JRE) to unpack the Knox Service Plugin APK file and extract the device configuration XML file. Therefore, JRE 1.8 is necessary for Expert mode to function correctly.

  • Deployment profile containing information on enrolling devices, installing apps, and applying Configuration profiles during the initial setup process. Learn how to create device deployment profiles.

When creating each of these types of profiles, IT admins create XML files or QR codes (for device configuration profiles), or QR codes (for device deployment profiles) for target devices that device users can use to configure their devices.

For more information about some of the custom settings available to IT admins using Knox Mobile Enrollment Direct, see Custom profile configurator settings.

Custom profile configurator settings

The following table describes some of the custom configurations that IT admins can apply to devices using profiles in Knox Mobile Enrollment Direct.

Category Settings configurable using Knox Mobile Enrollment Direct
Hardware key configuration
  • For XCover/Active Key — Launch MS Teams, broadcast custom intent, or launch an app
  • Top Key — Broadcast custom intent or launch an app
  • Side Key — Broadcast custom intent or launch an app on double press
Display configuration
  • Outdoor mode — Configure brightness, screen timeout, and font size
  • Glove mode — Configure touch sensitivity of the device's screen
Network configuration

Wi-Fi or network settings such as turningWi-Fi disallowed list options on or off to prevent blocking a network connectionbecause of poor network quality

Create device configuration profiles

To create a device configuration profile, do as follows:

The device user can change these settings manually, on the device after automatic device configuration using Knox Mobile Enrollment Direct is complete.

  1. Launch the Knox Mobile Enrollment Direct app, and on the Profiles screen that opens click Create Profile.

  2. On the Select profile type to create screen that opens, click Configuration Profile.

    • Expert mode — Device configuration profiles in Expert mode allow you to directly extract, configure, and upload device configuration XML files based on the Knox Service Plugin schema.

  3. On the Profile Details screen that opens, in the Profile name field, enter an appropriate value, and then click Continue. We recommend using a name that signifies the purpose of the profile, such as DisplaySettingsHealth, SoundProfileIT.

  4. On the Display Configuration screen that opens, configure the following settings, and then click Continue:

    • Screen timeout settings — Select whether the screen should timeout after a certain time interval.

    • Brightness levels — Set the brightness levels for the device, as well as whether the device should use adaptive brightness settings that automatically adjust the brightness levels based on external lighting.

    • Font settings — Set the default font size to use for the device.

    • Touch sensitivity settings — Increase the touch sensitivity of the screen in special cases, such as while wearing gloves when a device has a thick screen protector.

  5. On the Key Configuration screen that opens, configure the following settings, and then click Continue:

    • Navigation bar settings — Select the format and order of app icons on the Navigation bar, for example Back button > Home button > App or Apps > Home button > Back button.

    • XCover/Active key settings — Select what happens when the device user presses the XCover key. The options available are: Application launch, Intent broadcasting, or MS Teams. When you select Application launch or Intent broadcasting, the screen refreshes to show fields that allow you to customize what happens when the key is pressed.

    • Top key settings — Select what happens when the device user presses the top key. Use the fields under this heading to customize what happens when the key is pressed.

    • Side key settings — Select what happens when the device user presses the side key. Use the fields under this heading to customize what happens when the key is pressed. You can specify that launching an app requires a double press.

  6. On the General configuration screen, configure the following settings, and then click Continue:

    • NFC settings — Set whether you want to enable the use of Near Field Communication (NFC) apps on the device.

    • Wi-Fi Blocklist settings — Specify the SSIDs of Wi-Fi connections that are blocked and to which the device must not connect. To add new blocked SSIDs, in the Wi-Fi Blocklist section, click Add and in the field that shows add the SSID. You can also specify that the device user cannot accidentally add SSIDs associated with safe and allowed Wi-Fi connections to the blocklist.

    • Sound settings — Specify whether to selectively control the device’s volume, such as setting it to 100%.

    • System language and location settings — Set the device’s language and location. These settings control the local timezone and language shown on the device.

    • (Optional) Configure DualDAR — Turn on this setting to configure DualDAR, a data-at-rest security solution that secures data on the device through two layers of encryption. Select either Device Owner or Work profile on company-owned device. Then, configure related settings such as data lock timeout, restricting access to device encrypted (DE) storage, and allowlisting specific apps to access DE storage and to run in data locked state. A DualDAR license is required to use this feature. Any devices assigned to a DualDAR-enabled profile without a license are locked. Contact your reseller to purchase a license.

  7. On the Mobile network configuration screen, configure the following settings, and then click Continue:

    • Roaming — Turn device roaming on or off, including voice/text and data.

    • APN configurations — Add APN settings such as:

      • Name — to specify the name of your APN configuration for easy reference.

      • APN (Access Point Name) — Use this to specify the endpoint for your APN. For example, enterprise.telco.com. You can get this value from your mobile operator.

      • Set as a preferred APN — use this toggle to set as a preferred APN.

      • MCC (Mobile Country Code) — Enter the MCC for your APN that uniquely identifies your mobile network operator, for example, 720. You can also get this value from your mobile operator.

      • Authentication type — Select from None, PAP, CHAP, PAPAut or CHAP.

      • APN types — the type of data that will be transferred over the APN, which you also get from your mobile operator.

      • APN protocol — Select from IPv4 only, IPv6 only, or IPv4 or IP6.

      • APN roaming protocol — Select from IPv4 only, IPv6 only, or IPv4 or IP6.

      • MMS details — Specify MMS configuration details for the APN, such as MMSC, MMS proxy, and MMS port.

      • Advanced APN configuration — Toggle this option if you want to specify advanced parameters of your APN configuration.

      • Mobile virtual network operator (MVNO) — Toggle this option to customize the MVNO configuration on the device. This feature is available on devices running Knox v3.2.1 or higher.

      • Add APN configuration — Add up to a maximum of 20 additional APN configurations.

  8. On the Summary screen, confirm the settings you have just set and then click Continue.

  9. On the QR code configuration screen, click Generate QR code. Scan the QR code to apply the profile to your device. You can adjust the QR code size, if required. The image dimensions of the code can be a minimum size of 400 px by 400 px, up to a maximum of 600 px by 600 px. The code is saved as an XML file at the location you selected under Settings when launching the app.

Create device deployment profiles

To create an EMM or device deployment profile, do as follows:

  1. Launch the Knox Mobile Enrollment Direct app, and on the Profiles screen that opens click Create Profile.

  2. On the Device type for profile screen that opens, select the Knox SDK version for your devices. Click Continue.

  3. On the Select profile type screen that opens, click Device Deployment Profile (QR Code).

  4. On the Profile Details screen that opens, enter the following information, and then click Continue:

    • Profile name — Enter an appropriate value that signifies the purpose of the profile, such as DisplaySettingsHealth, SoundProfileIT.

    • Organization name — Enter the name of the organization or business unit that the device user belongs to. You can use different organization names to differentiate between the various settings that apply to the device.

    • Description — Enter a clear and concise description of the purpose of this particular profile.

  5. On the Wi-Fi network connection policy screen that opens, configure the following settings, and then click Continue:

    • Set up Wi-Fi

    • SSID name — Enter the name or the SSID of the Wi-Fi network that you want the device to access.

    • Wi-Fi MAC address randomization — Whenever the device connects to the Wi-Fi network, the router can assign a randomized MAC address to it, preventing malicious security threats from using MAC addresses to build a history of device activity. Ultimately, this feature increases device user privacy.

    • Proxy information — Set whether the Wi-Fi network uses a proxy server.

    • Security information — Use the fields in this section to add detailed security information such as type of security and password. These details are available from the network administrator that created or manages the Wi-Fi network.

  6. Captive Portal Mode — Turn on Captive portal mode (off by default) to control the detection of captive portals. Doing so skips network connection validation when you enroll devices running Android 14 or higher with Knox 3.10 in fully-managed mode. You can set the Capture portal mode to function in one of the two following ways:

    • Don’t attempt to detect captive portals — Captive portals are ignored during enrollment. Used for Android Enterprise enrollment in closed networks by default.

    • If detected, prompts the user to sign in — When a captive portal is detected, a notification prompts the device user to sign in.

    To apply this feature, the device user must reboot their device, then scan the QR code using a plus sign (+) gesture again.

  7. On the Legal agreement screen that opens, configure the following settings, and then click Continue. In cases where the location, organization, or other properties of the target device necessitate a custom privacy policy, Legal agreement URI, or Terms of Service, IT admins can use this screen to specify the Legal Agreements to use.

    • Title — Specify the name of the Legal Agreement that is applicable to the device.

    • Legal agreement URI — Add the URL of the custom Legal Agreement or Terms of Service applicable to the device.

  8. On the Android Enterprise enrollment screen, configure the following settings, and then click Continue:

    • EMM provider — In the EMM provider list, select the name of the EMM provider which is used to manage the target device.

    • EMM agent URI — Enter the URI of the provide APK host applicable to this profile.

    • EMM agent’s receiver component name — Enter a name for the admin package deployed to the device. The format of the admin package component name is set to package name/class name. For example, for the Workspace ONE UEM, the package name is set to com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver. For more information see KME admin guide.

    • EMM agent signature checksum — Enter the value of the admin package’s signature checksum. The admin package’s signature checksum is the Base64 encoded SHA-256 hash of the EMM APK signature, which is URL friendly. You can get this value from your EMM. For more information see Android developer documentation > DevicePolicyManager#EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM. Alternatively, you can use utilities such as Keytool on Linux to get this value. See How do I get the signature checksum of my APK? on StackOverflow for additional information about Keytool.

    • EMM server URI — Enter the URI of the EMM server to connect to from the target devices.

    • Custom JSON Data (as defined by EMM) — Enter the custom data in JSON format that is sent to the EMM agent. Usually, this information is the ID and password for the EMM agent to login to the EMM server. For example, {“gid”:“mygid”,“un”:“myusername”,“pw”:“mypassword”}.

    • (Optional) DualDAR — Turn on this setting to configure DualDAR, a data-at-rest security solution that secures data on the device through two layers of encryption. A DualDAR license is required for this feature. Any devices assigned to a DualDAR-enabled profile without a license are locked. Contact your reseller to purchase a license. Once enabled, you can also select both Use 3rd party crypto application and Add package and signature to enter the package name, URL, and signature of a third-party crypto app for customizing the second layer of encryption. Click Save to record the changes to DualDAR settings.

    • Root or intermediate certificate —To upload this certificate, click Upload to open a file browser. Follow on-screen instructions to look for and upload the appropriate file. You can deploy up to five certificates.

    • (Optional) Device enrollment screens — Skip enrollment screens during device setup and simplify device enrollment, depending on the Android version:

      Android version Which screens can you skip?
      Android 13 or higher Skip all Android Enterprise setup screens.
      Android 14 or higher Skip setup wizard after EMM enrollment.

  9. If necessary, on the Additional deployment options screen, configure the following settings, and then click Continue. These settings are optional and not necessary to create this profile.

    You can only configure the following settings if you have previously set up a Device configuration profile.

    • Local server URI for a Device Configuration Profile (XML) — The location on your relay server where you have created and saved the Device Configuration profile, from where target devices can download the XML file. This URI can start with http:// or https://.

    • Local server URI for the Knox Service Plugin agent (APK file) — Use the fields in this section to add the URI of the KSP APK installation file to download to target devices. This URI must start with http:// or https://.

    • Knox Enrollment Service agent update — Update the Knox Enrollment Service agent from a locally-hosted relay server within closed network environments. This ensures that new features can be supported whenever the updated Knox Enrollment Service agent is released, without waiting for OS upgrades.

    • System applications — Select Leave all system apps enabled to ensure that all pre-installed system apps are enabled and available to the profile even in closed networks. If another value is selected, only a limited set of default system apps such as My Files, Contacts, and Google Play Store is available in the device’s apps tray. Systems apps can’t be installed or removed by the device user.

      When using Knox Mobile Enrollment with Knox Configure, disabling system apps may lead to conflicts with Knox Configure.

    • Package name and Signing key —Use these fields to indicate your package name, such as com.samsung.android.knox.kpu, and the associated signing key.

    • Additional applications —Similar to the KSP app specified in the previous field, you can use this section to add information about other apps that you want to install offline on the target device.

  10. On the Summary screen, confirm the settings you have just set and then click Generate QR Code. The QR Code is generated and saved to your local drive. Multiple QR codes, if applicable, are generated in order, but can be scanned based on the scanning order you selected in Settings. You can then share these QR codes with the users of the target devices, who then use the codes to set up the devices.

Manage existing profiles

In addition to creating new profiles, IT admins can manage existing from the Profiles screen. Once IT admins create one or more profiles, they are listed on the Profiles screen. From this screen, they can modify or delete profiles.

Modify existing profiles

To make changes to an existing profile, do as follows:

  1. Launch the Knox Mobile Enrollment Direct app, and on the Profiles screen that opens, find the profile you want to modify and click the profile name link. The appropriate profile page opens.

  2. On the screen that opens, click Edit . The profile screen changes to edit mode.

  3. Follow on-screen instructions to make necessary changes, and generate the updated QR code or XML file. Share the updated QR code or XML file with the users of the target devices.

Delete profiles

To delete an existing profile, do as follows:

  1. Launch the Knox Mobile Enrollment Direct app, and on the Profiles screen that opens find the profile you want to modify and click the checkbox next to the appropriate profile name to select it.

  2. With the checkbox selected, click Delete Profile. The page refreshes with the selected profile removed from the list of profiles. The devices to which the profile was previously applied remain unchanged, as there is no communication between the PC desktop app and the target devices.

On this page

Is this page helpful?