---

Audience

This document is intended for:

• IT Admins — Admins create profiles with the device settings, restrictions, apps, and other content to deploy to groups of devices. After devices have been successfully enrolled into the enterprise, they receive the KC device profile via a Wi-Fi or mobile data connection.
• Resellers — Resellers bulk upload devices on behalf of requesting customers.

Prerequisites

To use Knox Mobile Enrollment, you need:

• A Samsung account. For more information, go to: Create your Samsung accounts.
• A Knox Portal account. For more information, go to: Create your Samsung accounts.
• Samsung Knox devices running Knox version 2.4 or higher. Some devices lacking a device root key (DRK) support enrollment using a Knox 2.4.1 binary.
• A MDM provider supporting the Knox Mobile Enrollment program
• The correct firewall exemptions needed to extend beyond your local and protected network domain and securely connect to the Knox Mobile Enrollment server. For more information, go to: Firewall exceptions.
• A KME supported browser (Internet Explorer, Firefox, and Chrome). Internet Explorer is not recommended if using an on-premise MDM.
• Permission to access Knox Mobile Enrollment features

For information on KME supported countries, go to: KME country availability.

About KME

Once an enterprise acquires its devices, their IT administrator utilizes Samsung’s Reseller Portal to upload user credentials. To mass deploy devices to end user employees, the IT administrator loads MDM configuration(s) to KME and assigns a profile to either a single or group of devices. For an overview and diagram of the KME workflow, go to Knox Mobile Enrollment workflow.

Samsung's KME provides the following device enrollment benefits:

• Automated configuration — Manually tracking hundreds or thousands of devices and removing them from their box for configuration can be a consumptive process with little perceived return on investment. With Knox Mobile Enrollment, the entire process is streamlined. Once a purchase order is placed through an approved reseller or carrier, the reseller uploads the devices’ unique International Mobile Equipment Identity numbers (IMEIs) and serial numbers to the reseller portal.
  
• No hassles for employees — Enrolling devices with an MDM typically requires employees, once they receive the devices, to connect them to the MDM solution. This process typically involves navigating to a website and downloading the MDM software to the device. This process often creates problems, resulting in IT teams having to spend time guiding frustrated employees through the process. With Knox Mobile Enrollment, employees do not have to do a thing. As soon as they receive their device and power it on, the device automatically installs the required software and applies the security settings and configurations provisioned by the enterprise via the MDM client.
• Mobile security management — With Samsung Knox, the integrity of the entire device is protected from hardware to the application layer. With Knox Mobile Enrollment, IT admins can set security policies without physically touching the device. This makes it easy to protect company data by preventing employee updates potentially jeopardizing device security. IT admins can retain total device control and can prevent employees from installing apps and removing existing apps. IT admins can also disable high-bandwidth video streaming or automatic app updates, and can wipe company data if a device is lost or stolen.

New KME users who initially login to the KME console can also utilize the get started carousel and auto tour to understand the central functions of the KME console and access tooltips to better navigate the KME console. For more information, go to: Get started carousel and auto tour.

Samsung KME overview video

KME workflow

Enterprise IT admins purchase devices from carriers, resellers, or distributors and provide their unique customer IDs. The devices are validated for correctness by their sellers in KME, and shipped to end users who open the box and boot their device.

Refer to the following describing the KME process flow activities within the illustration above:

1. An IT Admin and Reseller/Carrier create accounts in KME and RP respectively. They then exchange their IDs within KME using the Customer ID and Reseller ID.
2. The Enterprise IT Admin purchases devices from their Reseller/Carrier.
3. The Reseller uploads the list of purchased device IDs to the Reseller Portal.
4. The device ID list is shared between the Reseller Portal and KME.
5. The IT Admin is notified by email that their Reseller/Carrier has uploaded their devices.
6. The IT Admin approves the device upload. Approvals can be made automatically for trusted Resellers/Carriers.

7. The IT Admin configures the devices by assigning them to a MDM profile and optionally adding username/password information to each device. Devices can be automatically assigned to a profile.

KME feature compatibility matrix

The following table is a general guideline on Knox software support requirements. Device operating system version may impact support features.

KME-DO with KC

KME added support for Android Enterprise managed device mode in Knox 2.8 (on S8 and higher device platforms). Additionally, Samsung has now completed work for supporting KC + KME + Android Enterprise Managed device mode to increase opportunities for KC. KC can be launched from a KME enrolled device, by either selecting the device’s back key, or from a displayed device notification.

KME portal enrollment

An enterprise IT administrator with authority to enroll devices on behalf of their business registers for a KME account from the Samsung Knox portal. As soon as Samsung validates the KME account, the IT administrator can review employee enrollment status to ensure each submitted device is assigned to its correct enterprise end user resource and configuration profile.

Submitted devices can be edited or removed from the enrollment portal at any time by the IT administrator. The IT administrator can optionally submit additional devices with the creation and upload of a CSV file containing the device IMEI, MEID or serial number, username and password, and additional MDM permitted data. Once users activate and connect a device to a stable Wi-Fi, they can submit the device for enrollment. If a stable Wi-Fi connection is problematic, an alternative enrollment resource is available to the IT administrator at Samsung KNOX Mobile Enrollment
(https://me.samsungknox.com/).

Once registered, a device’s profile enrollment status is available under a separate tab to assess whether enrollment is pending, rejected, ready, activated or rejected. MDM configuration profiles can be edited, deleted or added at any time. The KME portal utilizes an additional tab to register device resellers. Reseller registration allows Samsung to verify device ownership and prevent unauthorized enrollment, as only authorized Samsung resellers can be registered.

While most authorized Samsung resellers can submit purchased device IMEIs to KME on behalf of their customer, some resellers are without this capability. In this case, a device list must be imported to the business’s KME account by the enterprise IT administrator.

Lastly, reseller verified devices are shipped to end users who open the box and boot their device to complete enrollment. If needed, the KME portal utilizes an additional device user’s tab to edit, delete, add, or import user credentials into their intended device’s CSV file.

Customer ID

To obtain your Customer ID, hover over your initials on the top, right-hand side, the screen. This information may be required when supplying information to your reseller for a variety of reasons.