Menu

Knox Mobile Enrollment


Knox Mobile Enrollment (KME) streamlines the initial setup and enrollment of corporate-owned and employee-owned devices.

KME is the recommended tool when an enterprise requires bulk device enrollment with little configuration variance amongst the devices deployed.

Audience

This document is intended for:

  • IT Admins — Admins create profiles with the device settings, restrictions, apps, and other content to deploy to groups of devices. After devices have been successfully enrolled into the enterprise, they receive the KC device profile via a Wi-Fi or mobile data connection.
  • Resellers — Resellers bulk upload devices on behalf of requesting customers.

Try the solution

Use KME to add new enrollment profiles, edit existing profiles and delete obsolete profiles as required as devices enroll in KME or require update. This guide also describes how to invite and manage admins, as well as assign required roles and permissions needed enroll and manage devices.

START TUTORIAL

Prerequisites

To use Knox Mobile Enrollment, you need:

  • A Samsung account. For more information, go to: Create your Samsung accounts.
  • A Knox Portal account. For more information, go to: Create your Samsung accounts.
  • Samsung Knox devices running Knox version 2.4 or higher. Some devices lacking a device root key (DRK) support enrollment using a Knox 2.4.1 binary.
  • A MDM provider supporting the Knox Mobile Enrollment program
  • The correct firewall exemptions needed to extend beyond your local and protected network domain and securely connect to the Knox Mobile Enrollment server. For more information, go to: Firewall exceptions.
  • A KME supported browser (Internet Explorer, Firefox, and Chrome). Internet Explorer is not recommended if using an on-premise MDM.
  • Permission to access Knox Mobile Enrollment features

For information on the growing list of KME supported countries, go to: KME country availability.

About KME

Once an enterprise acquires its devices, their IT administrator utilizes Samsung’s Reseller Portal to upload user credentials. To mass deploy devices to end user employees, the IT administrator loads MDM configuration(s) to KME and assigns a profile to either a single or group of devices. For an overview and diagram of the KME workflow, go to Knox Mobile Enrollment workflow.

Samsung's KME provides the following device enrollment benefits:

  • Automated configuration — Manually tracking hundreds or thousands of devices and removing them from their box for configuration can be a consumptive process with little perceived return on investment. With Knox Mobile Enrollment, the entire process is streamlined. Once a purchase order is placed through an approved reseller or carrier, the reseller uploads the devices’ unique International Mobile Equipment Identity numbers (IMEIs) and serial numbers to the reseller portal.
  • No hassles for employees — Enrolling devices with an MDM typically requires employees, once they receive the devices, to connect them to the MDM solution. This process typically involves navigating to a website and downloading the MDM software to the device. This process often creates problems, resulting in IT teams having to spend time guiding frustrated employees through the process. With Knox Mobile Enrollment, employees do not have to do a thing. As soon as they receive their device and power it on, the device automatically installs the required software and applies the security settings and configurations provisioned by the enterprise via the MDM client.
  • Mobile security management — With Samsung Knox, the integrity of the entire device is protected from hardware to the application layer. With Knox Mobile Enrollment, IT admins can set security policies without physically touching the device. This makes it easy to protect company data by preventing employee updates potentially jeopardizing device security. IT admins can retain total device control and can prevent employees from installing apps and removing existing apps. IT admins can also disable high-bandwidth video streaming or automatic app updates, and can wipe company data if a device is lost or stolen.

New KME users who initially login to the KME console can also utilize the get started carousel and auto tour to understand the central functions of the KME console and access tooltips to better navigate the KME console. For more information, go to: Get started carousel and auto tour.

Samsung KME overview video

KME workflow

Enterprise IT admins purchase devices from carriers, resellers, or distributors and provide their unique customer IDs. The devices are validated for correctness by their sellers in KME, and shipped to end users who open the box and boot their device.

Refer to the following describing the KME process flow activities within the illustration above:

  1. An IT Admin and Reseller/Carrier create accounts in KME and RP respectively. They then exchange their IDs within KME using the Customer ID and Reseller ID.
  2. The Enterprise IT Admin purchases devices from their Reseller/Carrier.
  3. The Reseller uploads the list of purchased device IDs to the Reseller Portal.
  4. The device ID list is shared between the Reseller Portal and KME.
  5. The IT Admin is notified by email that their Reseller/Carrier has uploaded their devices.
  6. The IT Admin approves the device upload. Approvals can be made automatically for trusted Resellers/Carriers.
  7. The IT Admin configures the devices by assigning them to a MDM profile and optionally adding username/password information to each device. Devices can be automatically assigned to a profile.

NOTE — Keep in mind when using additional services with Knox Mobile Enrollment—such as Knox Configure (KC)— if a device upload is approved for KME it is also automatically approved in KC, regardless of the KC upload approval setting.

KME portal enrollment

An enterprise IT administrator with authority to enroll devices on behalf of their business registers for a KME account from the Samsung Knox portal. As soon as Samsung validates the KME account, the IT administrator can review employee enrollment status to ensure each submitted device is assigned to its correct enterprise end user resource and configuration profile. Submitted devices can be edited or removed from the enrollment portal at any time by the IT administrator. The IT administrator can optionally submit additional devices with the creation and upload of a CSV file containing the device IMEI, MEID or serial number, username and password, and additional MDM permitted data. Once users activate and connect a device to a stable Wi-Fi, they can submit the device for enrollment. If a stable Wi-Fi connection is problematic, an alternative enrollment resource is available to the IT administrator at Samsung KNOX Mobile Enrollment (https://me.samsungknox.com/).

Once registered within the KME console, a device’s profile enrollment status is available under a separate tab to assess whether enrollment is pending, rejected, ready, activated or rejected. MDM configuration profiles can be edited, deleted or added at any time. The KME portal utilizes an additional tab to register device resellers. Reseller registration allows Samsung to verify device ownership and prevent unauthorized enrollment, as only authorized Samsung resellers can be registered.

Lastly, reseller verified devices are shipped to end users who open the box and boot their device to complete enrollment. If needed, the KME portal utilizes an additional device user’s tab to edit, delete, add, or import user credentials into their intended device’s CSV file.

For information on KME supported countries, go to: KME country availability.

Enrollment options

The following enrollment options are available to KME:

  • Reseller uploads - Authorized Samsung resellers can upload purchased device IMEIs directly into KME on behalf of their customer(s). For more information on KME resellers, go to: Resellers.
  • Knox Deployment App (KDA) - The KDA is a mobile application available from the Google Play Store that is uniquely designed to help streamline the enterprise deployment of Samsung phones and tablets running Knox 2.7.1 or higher. The KDA allows an enterprise IT administrator to upload devices directly, without the assistance of a reseller. The KDA runs on a designated primary device which is required to login to KME. The target device requires a special B2B menu activated via a plus-sign (+) gesture on the initial device setup screen. The following KDA enrollment options are available, and display on the target device B2B menu:
    • NFC - With Near Field Communication (NFC) enrollments, the target device (on which the special B2B menu has been launched) is “bumped” (held closely together) with another smartphone device with Knox Deployment App running and scanning in NFC mode. The dedicated primary NFC device displays available profiles, and end user device enrollment begins once an IT admin selects a profile. The NFC enrollment option is not available to tablet devices.
    • Bluetooth - An IT admin can install the KDA on a dedicated admin/primary smartphone or tablet device, and select existing KME profiles. If the target device (on which the special B2B menu has been launched) is within proximity of the primary device, the user device connects to the admin device wirelessly via Bluetooth without a PIN or password requirement.
    • Wi-Fi Direct - Wi-Fi Direct supported devices can connect directly to each other via a WLAN, without joining a traditional wireless network or Wi-Fi hotspot. Once enabled, a designated primary device automatically scans for other supported Wi-Fi direct target devices. Once discovered, target devices (on which the special B2B menu has been launched) can be selected for enrollment data transfer.
  • QR code - QR code gesture enrollment is a new enrollment option for Android 10 devices. A QR code is a unique matrix style barcode containing information in JSON format used for enrollment. The QR code enrollment process begins with a device plus-sign (+) gesture on the initial device setup screen. This opens a menu, which when selected, activates the device's camera in QR code recognition mode. Once a QR code is recognized, a Wi-Fi connection is made (if the proper credentials are contained within the QR code) and enrollment begins. If there are no Wi-Fi credentials within the QR code, then the user is prompted to provide them within the Wi-Fi setup screen. For information on creating a QR code for device enrollment, go to: Create profiles.

KME feature compatibility matrix

The following table is a general guideline on Knox software support requirements. Device operating system version may impact support features.

KME-DO with KC

KME added support for Android Enterprise managed device mode in Knox 2.8 (on S8 and higher device platforms). Additionally, Samsung has now completed work for supporting KC + KME + Android Enterprise Managed device mode to increase opportunities for KC. KC can be launched from a KME enrolled device, by either selecting the device’s back key, or from a displayed device notification.

Customer ID

To obtain your Customer ID, hover over your initials on the top, right-hand side, the screen. This information may be required when supplying information to your reseller for a variety of reasons.