KME Technical Implementation

Device Owner support

Knox Mobile Enrollment (KME) enables you to enroll a Fully Managed Device with Device Owner (DO) privileges to an MDM. This topic provides you with detailed instructions on how to integrate KME and DO.

Minimum requirements

To support DO provisioning in KME, you must: 

  1. Support Google Device Owner provisioning.
  2. Host an MDM agent APK download link. This APK should be the MDM solution component that allows KME to activate and use Knox licenses for enrolled devices.

Integrate DO with KME

Once you integrate with KME, customers can use the KME portal to select your MDM in the Device Owner profile dialog.

All profile information that you set in the KME portal gets passed directly to Google’s DevicePolicyManager for handling. As with regular DO enrollment, the MDM agent is installed and receives the ProfileProvisioningComplete callback when the provisioning is complete.

It’s important to note that customers can provision usernames and passwords in the KME portal. If you plan to support server and user credential provisioning, you need to support the naming conventions that KME uses, as shown in the following table.

KME Key Description
userName Username or ID
password Password
kmeUri Server URL

You can also use the KME portal’s Custom JSON Data field to configure the MDM setup and set additional data, such as enrollment_id, as shown in the following image.

Custom JSON Data (as defined by MDM)

KME combines all credential provisioning and configuration data in the JSON format and sends it to the MDM agent as The following example shows one such bundle.


Verify integration

You can verify your integration in the KME portal with a test account as follows.

  1. Log in to the KME portal with a valid test account.
  2. In the left hand navigation menu, select MDM Profiles.
  3. Click Create Profile, and then select Device Owner. The Device Owner profile dialog opens.
  4. Enter appropriate information in the Profile Name and Description fields.
  5. In the Pick your MDM list, choose Other.

Pick your MDM dialog and drop-down list

  1. When prompted, enter the following information: 
    • MDM Agent APK, that is, your agent’s APK link
    • MDM Server URI

Sample Profile Settings dialog - MDM Agent APK

  1. Click Continue. This profile is now ready for use (testing).

Become a supported MDM partner

After you finish setting up and verifying your integration with KME, the next step is to get listed as a supported MDM partner.To become a supported MDM partner, you must provide Samsung with a test account with DO configured along with the following information:

  1. The exact name of your MDM for use in the KME portal.
  2. The APK agent link to enter into the KME profile. This link is automatically populated in the form when a customer selects your MDM in the Pick your MDM list.
  3. Any enrollment data that the agent requires for DO provisioning.
  4. If supported, a Google Managed Play store account.

Upon receipt of this information, Samsung verifies your integration based on the following end-to-end verification test criteria:

  • APK link for the MDM API is accessible
  • Google DO is enabled on the device
  • Device status in the KME portal changes to Enrolled
  • MDM agent auto-launches
  • A Google Managed Play Store account is configured after enrollment (if supported)

If all end-to-end verification tests pass, Samsung adds your MDM to the Pick Your MDM list in the KME portal as follows.

Sample Pick your MDM dialog

Share it: