Menu

Set up and configuration for IT admins

Knox Mobile Enrollment Direct, just like KME, enables IT administrators to create device configuration profiles that device users can use to set up and configure their enterprise devices.

NOTE—We recommend that the IT admin create a new device configuration profile for each type of employee or their role. Some examples of different employee roles are: HR generalist, Technical or Customer Support representative, and teacher or medical professional. Creating a new profile for each role ensures that the devices are sufficiently customized for all activities required for the employee to perform their jobs. This customized profile also includes the appropriate security restrictions to safeguard the enterprise’s data, such as disabling high-bandwidth video streaming or automatic app updates and wiping company data if a device is lost or stolen.

Access the Knox Mobile Enrollment Direct application

Samsung Resellers or enterprise IT admins with authorized Samsung Accounts can access the Knox Mobile Enrollment Direct app from the Knox Mobile Enrollment Direct download page on SamsungKnox.com.

To get access to Knox Mobile Enrollment Direct, do as follows:

  1. Create a Samsung Account. For more information on how to create your Samsung Account, see Create your Samsung account.
  2. Go to the Knox Mobile Enrollment Direct page and click the Knox Mobile Enrollment Direct installer.
  3. Continue to download and install the Knox Mobile Enrollment Direct app.

Download and install the Knox Mobile Enrollment Direct app

Once your access is approved, do as follows to download and install the Knox Mobile Enrollment Direct PC app to your local computer:

  1. From a Windows computer that meets the minimum system requirements, log in to your Knox.com account. Then, go to the Knox Mobile Enrollment Direct download page.
  2. Double-click the Knox Mobile Enrollment Direct installer to open the installer and start the installation process.
  3. When prompted, create your passcode, and then click Next. This passcode is saved to your local drive and you must use it whenever you use the Knox Mobile Enrollment Direct app again. Choose a passcode meets the following minimum requirements:
    • Between 4 and 12 characters
    • Includes numerals
    • Uses a mix of upper and lowercase letters
    • Includes one or more of these special characters: !, @, #, $, %, ^, &, or *.
  4. On this screen, you can create and download your recovery key to your local drive. To download the recovery key, do as follows:
    1. In the recovery key field, click Copy to copy the key to your clipboard.
    2. Open a text editor—such as Notepad or Notepad++—and paste the key you just copied.
    3. Save this file to your local drive. We recommend naming the file something meaningful, such as Knox Mobile Enrollment Direct Recovery Key.
    This recovery key is the crucial component to resetting your Knox Mobile Enrollment Direct app password. If you forget your Knox Mobile Enrollment Direct app password, you can use this recovery key to reset it. Once you save your recovery key, click Next to continue.
  5. When prompted and if you want to install the Knox Mobile Enrollment Direct app to a custom location on your computer, click Browse. The File Save as screen opens to let you choose your installation location. Once you’ve selected the installation location, click Next.
  6. On the confirmation screen that opens, click Launch to close the installer and open the Knox Mobile Enrollment Direct app. Once you’ve successfully installed the app to your computer, you can now launch the Knox Mobile Enrollment Direct app.

Launch the Knox Mobile Enrollment Direct app

To open the Knox Mobile Enrollment Direct app, do as follows:

  1. On your local computer, navigate to the location where you installed your Knox Mobile Enrollment Direct app, and double-click the Knox Mobile Enrollment Direct installer file to open it. Alternatively, navigate to your desktop, and double-click the Knox Mobile Enrollment Direct desktop shortcut.
  2. When prompted, enter the Knox Mobile Enrollment Direct passcode that you created during installation, and click OK. The Profiles screen opens.
  3. From this screen, you can now create new profiles as well as modify and delete existing profiles.
  4. On the upper right-hand side, you can open the Settings popup. From here, you can start the relay server. During installation, the Knox Mobile Enrollment Direct app suggests the URL using your current IP address, the port, and the shared folder by default. When the relay server is installed and running, every URL and URI related to it will be filled automatically as editable text when creating QR codes for device configuration profiles. Ensure the required fields are filled and select Save & Close.

Create new profiles

Currently, IT admins can use Knox Mobile Enrollment Direct to create two types of profiles:

  • Device configuration profile (XML/QR Code) containing settings for customizing device settings such as display, sounds, key mapping, and other general settings. Learn how to create device configuration profiles.
  • Device deployment profile (QR Code) containing basic information such as network connectivity settings and provisioning apps. Learn how to create device deployment profiles.

When creating each of these types of profiles, IT admins create XML files or QR codes (device configuration profiles), or QR codes (device deployment profiles) for target devices that device users can use to configure their devices.

For more information about some of the custom settings available to IT admins using Knox Mobile Enrollment Direct, see Custom profile configurator settings.

Custom profile configurator settings

The following table describes some of the custom configurations that IT admins can apply to devices using profiles in Knox Mobile Enrollment Direct.

Category

Settings configurable using Knox Mobile Enrollment Direct

Hardware key configuration

  • For XCover/Active Key—Launch MS Teams, broadcast custom intent, or launch an app
  • Top Key—Broadcast custom intent or launch an app

Display configuration

  • Outdoor mode—Configure brightness, screen timeout, and font size
  • Glove mode—Configure touch sensitivity of the device’s screen

Network configuration

Wi-Fi or network settings such as turning Wi-Fi disallowed list options on or off to prevent blocking a network connection because of poor network quality

Create device configuration profiles

To create a device configuration profile, do as follows:

NOTE—The device user can change these settings manually, on the device after automatic device configuration using Knox Mobile Enrollment Direct is complete.
  1. Launch the Knox Mobile Enrollment Direct app, and on the Profiles screen that opens click Create Profile.
  2. On the Device type for profile screen that opens, select the Knox SDK version for your devices. Click Continue.
  3. On the Select profile type screen that opens, click Device Configuration Profile (XML/QR Code).
  4. On the Profile Details screen that opens, in the Profile name field, enter an appropriate value, and then click Continue. We recommend using a name that signifies the purpose of the profile, such as DisplaySettingsHealth, SoundProfileIT.
  5. On the Display Configuration screen that opens, configure the following settings, and then click Continue:
    • Screen timeout settings—Select whether the screen should timeout after a certain time interval.
    • Brightness levels—Set the brightness levels for the device, as well as whether the device should use adaptive brightness settings that automatically adjust the brightness levels based on external lighting.
    • Font settings—Set the default font size to use for the device.
    • Touch sensitivity settings—Increase the touch sensitivity of the screen in special cases, such as while wearing gloves when a device has a thick screen protector.
  6. On the Key Configuration screen that opens, configure the following settings, and then click Continue:
    • Navigation bar settings—Select the format and order of app icons on the Navigation bar, for example Back button > Home button > App or Apps > Home button > Back button.
    • Home key settings—Select the app to launch when the Home key is tapped, essentially remapping the Home key to the new app. The default value of this key is set to Google Assistant.
    • XCover/Active key settings—Select what happens when the device user presses the XCover key. The options available are: Application launch, Intent broadcasting, or MS Teams. When you select Application launch or Intent broadcasting, the screen refreshes to show fields that allow you to customize what happens when the key is pressed.
    • Top key settings—Select what happens when the device user presses the top key. Use the fields under this heading to customize what happens when the key is pressed.
  7. On the General configuration screen, configure the following settings, and then click Continue:
    • NFC settings—Set whether you want to enable the use of Near Field Communication (NFC) apps on the device.
    • Wi-Fi Blocklist settings—Specify the SSIDs of Wi-Fi connections that are blocked and to which the device must not connect. To add new blocked SSIDs, in the Wi-Fi Blocklist section, click Add and in the field that shows add the SSID. You can also specify that the device user cannot accidentally add SSIDs associated with safe and allowed Wi-Fi connections to the blocklist.
    • Sound settings—Specify whether to selectively control the device’s volume, such as setting it to 100%.
    • System language and country settings—Set the device’s language and country settings. These settings control the local timezone and language shown on the device.
  8. On the Mobile network configuration screen, configure the following settings, and then click Continue:
      • Roaming — Turn device roaming on or off, including voice/text and data.
      • APN configurations — Add APN settings such as:
        • Name — to specify the name of your APN configuration for easy reference.
        • APN (Access Point Name) — Use this to specify the endpoint for your APN. For example, enterprise.telco.com. You can get this value from your mobile operator.
        • Set as a preferred APN — use this toggle to set as a preferred APN.
        • MCC (Mobile Country Code) — Enter the MCC for your APN that uniquely identifies your mobile network operator, for example, 720. You can also get this value from your mobile operator.
        • Authentication type — Select from None, PAP, CHAP, PAPAut or CHAP.
        • APN types — the type of data that will be transferred over the APN, which you also get from your mobile operator.
        • APN protocol — Select from IPv4 only, IPv6 only, or IPv4 or IP6.
        • APN romancing protocol — Select from IPv4 only, IPv6 only, or IPv4 or IP6.
        • MMS details — Specify MMS configuration details for the APN, such as MMSC, MMS proxy, and MMS port.
        • Advanced APN configuration — Toggle this option if you want to specify advanced parameters of your APN configuration.
        • Mobile virtual network operator (MVNO) — Toggle this option to customize the MVNO configuration on the device. This feature is available on devices running Knox v3.2.1 or higher.
        • Add APN configuration — Add up to a maximum of 20 additional APN configurations.
  9. On the Summary screen, confirm the settings you have just set and then click Continue.
  10. On the XML settings screen, you can specify where to host the generated Device Configuration profile XML file, such as the built-in server URI or your own local server.
    • If you opt for the built-in server URI, enter the XML file name and select Generate XML/QR code. The button generates the XML file. Then, follow the same QR code flow as found in the Device Deployment profile section.
    • If you opt for your own local server, fill out the required information and click Generate XML. After generating and saving your XML file to your PC, place the file into the location of your local server and specify the local server URL/folder in the required field. Finally, select Generate QR code.
NOTE—Version 1.2 introduces the ability to apply new XML configurations multiple times simply by scanning a QR code to change the settings of devices that are already distributed to end-users. Once XML and QR codes with the new settings are created, they can be uploaded to the relay server. Then, devices can simply scan this QR code and download the new XML settings. If the device has been previously configured with KSP through Knox Mobile Enrollment Direct, configuration updates can now be pushed through QR codes. The code can be generated containing the link to the XML file and KSP can simply download and apply the latest configuration.

Create device deployment profiles

To create an EMM or device deployment profile, do as follows:

  1. Launch the Knox Mobile Enrollment Direct app, and on the Profiles screen that opens click Create Profile.
  2. On the Device type for profile screen that opens, select the Knox SDK version for your devices. Click Continue.
  3. On the Select profile type screen that opens, click Device Deployment Profile (QR Code).
  4. On the Profile Details screen that opens, enter the following information, and then click Continue:
    • Profile name—Enter an appropriate value that signifies the purpose of the profile, such as DisplaySettingsHealth, SoundProfileIT.
    • Organization name—Enter the name of the organization or business unit that the device user belongs to. You can use different organization names to differentiate between the various settings that apply to the device.
    • Description—Enter a clear and concise description of the purpose of this particular profile.
  5. On the Wi-Fi network connection policy screen that opens, configure the following settings, and then click Continue:
    • Set up Wi-Fi
    • SSID name—Enter the name or the SSID of the Wi-Fi network that you want the device to access.
    • Wi-Fi MAC address randomization—Whenever the device connects to the Wi-Fi network, the router can assign a randomized MAC address to it, preventing malicious security threats from using MAC addresses to build a history of device activity. Ultimately, this feature increases device user privacy.
    • Proxy information—Set whether the Wi-Fi network uses a proxy server.
    • Security information—Use the fields in this section to add detailed security information such as type of security and password. These details are available from the network administrator that created or manages the Wi-Fi network.
  6. On the Legal agreement screen that opens, configure the following settings, and then click Continue. In cases where the location, organization, or other properties of the target device necessitate a custom privacy policy, Legal agreement URI, or Terms of Service (ToS), IT admins can use this screen to specify the Legal agreements to use.
    • Title—Specify the name of the Legal agreement that is applicable to the device.
    • Legal agreement URI—Add the URL of the custom Legal agreement or ToS applicable to the device.
  7. On the Android Enterprise enrollment screen, configure the following settings, and then click Continue:
    • EMM provider—In the EMM provider list, select the name of the EMM provider which is used to manage the target device.
    • EMM agent URI—Enter the URI of the provide APK host applicable to this profile.
    • EMM agent’s receiver component name—Enter a name for the admin package deployed to the device. The format of the Admin package component name is set to package name/class name. For example, for the Workspace ONE UEM, the package name is set to com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver. For more information see KME Admin Guide.
    • EMM agent signature checksum—Enter the value of the admin package's signature checksum. The Admin package signature checksum is the Base64 encoded SHA-256 hash of the MDM APK signature, which is URL friendly. You can get this value from your MDM. For more information see Android developer documentation > DevicePolicyManager#EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM. Alternatively, you can use utilities such as Keytool on Linux to get this value.
    • EMM server URI —Enter the URI of the EMM server to connect to from the target devices.
    • Custom JSON Data (as defined by EMM)—Enter the custom data in JSON format that is sent to the EMM agent. Usually, this information is the ID and password for the EMM agent to login to the EMM server. For example, {"gid":"mygid","un":"myusername","pw":"mypassword"}.
    • Root or intermediate certificate—To upload this certificate, click Upload to open a file browser. Follow on-screen instructions to look for and upload the appropriate file.
  8. If necessary, on the Additional deployment options screen, configure the following settings, and then click Continue. These settings are optional and not necessary to create this profile. IMPORTANT—You can only configure the following settings if you have previously set up a Device configuration profile.
    • Local server URI for a Device Configuration Profile (XML)—The location on your relay server where you have created and saved the Device Configuration profile, from where target devices can download the XML file. This URI can start with http:// or https://.
    • Local server URI for the Knox Service Plugin agent (APK file)—Use the fields in this section to add the URI of the KSP APK installation file to download to target devices. This URI must start with http:// or https://.
    • Package name and Signing key—Use these fields to indicate your package name, such as com.samsung.android.knox.kpu, and the associated signing key.
    • Additional applications—Similar to the KSP app specified in the previous field, you can use this section to add information about other apps that you want to install offline on the target device.
  9. On the Summary screen, confirm the settings you have just set and then click Generate QR Code. The QR Code is generated and saved to your local drive. You can then share this QR code with the users of the target devices who then use the QR code to set up their devices.

Manage existing profiles

In addition to creating new profiles, IT admins can manage existing from the Profiles screen. Once IT admins create one or more profiles, they are listed on the Profiles screen. From this screen, they can modify or delete profiles.

Modify existing profiles

To make changes to an existing profile, do as follows:

  1. Launch the Knox Mobile Enrollment Direct app, and on the Profiles screen that opens, find the profile you want to modify and click the profile name link. The appropriate profile page opens.
  2. On the screen that opens, click Edit. The profile screen changes to edit mode.
  3. Follow on-screen instructions to make necessary changes, and generate the updated QR code or XML file. Share the updated QR code or XML file with the users of the target devices.

Delete profiles

To delete an existing profile, do as follows:

  1. Launch the Knox Mobile Enrollment Direct app, and on the Profiles screen that opens find the profile you want to modify and click the checkbox next to the appropriate profile name to select it.
  2. With the checkbox selected, click Delete Profile. The page refreshes with the selected profile removed from the list of profiles. The devices to which the profile was previously applied remain unchanged, as there is no communication between the PC desktop app and the target devices.
Share it: