Hexnode’s global user conference is set to raise the roof.

Register Now
30 DAY FREE TRIAL

No Search Results

No Search Results

30 DAY FREE TRIAL
  1. Help Center
  2. Enrolling Devices
  3. Android

Category filter

Samsung Knox Mobile Enrollment

Jump To

What is Samsung Knox Mobile Enrollment?

Samsung Knox Mobile Enrollment (KME) allows IT administrators to quickly and efficiently enroll large quantities of corporate-owned devices without the need of manually configuring each of them. End users just have to power on the devices and connect to the network to enroll in MDM. That means there’s minimal risk that users may enter incorrect information or select the wrong settings. Moreover, unauthorized devices cannot join your MDM environment, so your network and data are better protected.

Note:

Samsung Knox Mobile Enrollment is supported on Pro, Enterprise, Ultimate and, Ultra pricing plans.

What are the key features of Knox Mobile Enrollment?

  • Bulk enroll devices: Can add thousands of devices to your MDM at once.
  • Automatic installation and activation: As soon as the employees receive their device and power it on, the device automatically installs the required software and applies the security settings and configurations provisioned by the enterprise via the MDM client.
  • Auto re-enrollment: Once a device is enrolled, the MDM software will always be reinstalled even if the device is erased and factory reset.
  • Supports multiple MDM configurations per account: Organizations with a complex MDM environment can quickly set up thousands of devices and connect them with the right MDM profile using Knox Mobile Enrollment.

What are the requirements for Knox Mobile Enrollment?

  • A Samsung account.
  • A Knox portal account.
  • Samsung Knox devices running Knox version 2.4 or higher. Some devices lacking a Device Root Key (DRK) support enrollment using a Knox 2.4.1 binary. For Android Enterprise enrollment, devices should be running Knox version 2.8 or above.
  • An Mobility Management provider supporting the Knox Mobile Enrollment program.
  • A KME supported browser (Internet Explorer, Firefox, and Chrome).
  • The correct firewall exemptions needed to extend beyond your local and protected network domain and securely connect to the Knox Mobile Enrollment server.

How to create a Samsung account?

  1. Go to Samsung account creation page.
  2. Click on Create account.
  3. Go through the terms and conditions and Agree.
    create your Samsung account – Agree the terms and conditions
  4. Enter your Email/Phone number, Password, First name, Last name and DOB. Carefully enter the answer for the security question you have chosen and click Next.
  5. The last step to activate the account is to follow the link sent to the email address you have provided or by verifying using the code sent to the phone number provided.

create Samsung account – enter the details

How to create a Knox Portal account?

  1. Go to Knox Mobile Enrollment page.
  2. Click on Apply Now.
  3. Enter Basic information, End-user support information, Verification information and go through the Terms and conditions. Click on Apply when you are done.
  4. A confirmation mail will be sent.
  5. Click on Complete registration to continue. Enter your Knox portal password.
  6. Go to Knox Portal dashboard > My Knox Solutions > Knox Mobile Enrollment > Launch Console.
  7. A setup wizard launches to assist with setting up MDM server resources, creating your first enrollment profile and registering resellers when you log in for the first time.

How to enroll and configure devices in your KME portal?

There are three steps by which you can complete Knox Mobile Enrollment:

Step-1: Create an MDM profile.

Step-2: Add devices to your portal.

Step-3: Configure and assign devices to a profile.

Create an MDM profile

  • Sign in to Knox Portal account.
  • Select the MDM Profiles option from the left-hand navigation menu > Click on CREATE PROFILE.
  • Select either of the following profile types:
    1. ANDROID ENTERPRISE: You can opt for an out-of-box Android Enterprise enrollment by choosing this option. If selected, you can manage the devices using either in Profile Owner or Device Owner mode. Currently, Hexnode does not support Profile Owner mode, and the devices will be enrolled in Device Owner mode even when you choose Profile Owner mode.
    2. DEVICE ADMIN: This profile management method is the legacy method for managing the devices. This profile type provides different device settings options not available in Device Owner/Profile Owner configurations.

      3. Knox Mobile enrollment (KME) - select profile type

  • In the case of creating Device Admin profile, add the following details in the fields provided:
    1. Profile Name – Enter an appropriate profile name to distinguish it from other profiles.
    2. Description (Optional) – Describe the profile in a maximum of 200 characters.
    3. MDM INFORMATION – Enter the MDM Server URI which is the address of your MDM server in the form of an URL or select Server URI not required for my MDM. Click Continue.
    4. MDM Agent APK – Provide downloadable links of one or more MDM applications which the device will be enrolled to. These applications will be downloaded and installed on the device when it first connects to a Wi-Fi network. Click on ADD MDM APPS and provide a URL to the APK that will be downloaded to your devices.

      APK URL for Hexnode UEM: Hexnode MDM APK

      You can add more than one MDM application. If more than one APK is added, you must set one as primary to choose which APK manages Knox on the device.

    5. Custom JSON Data (as defined by MDM) – A custom configuration type (Java Script Object Notification format) can be defined here. MDM solution must be able to recognize this configuration. Hexnode doesn’t support this for now.
    6. Skip Setup Wizard – When checked, the device user can skip many setup wizard screens. Selected by default.
    7. Allow end user to cancel enrollment – Uncheck this option to make device enrollment mandatory.
    8. Privacy Policy, EULA and Terms of Service (Optional) – Add any End user license agreements, Terms of service or other user agreements that user must acknowledge before using the device. The Samsung Knox Privacy Policy is always shown. Click on ADD LEGAL AGREEMENT. Enter an Agreement title and Agreement text and click ADD.
    9. Associate a Knox license with this profile (Optional) – Check this option and enter the Knox license key to pass it directly to the device for easier Knox profile configuration.
    10. Click Create when you are done.

    • Note:

    You have to enroll your organization in Android Enterprise prior to enrolling devices as Device Owner using the Hexnode For Work APK.

  • In the case of creating Android Enterprise profile, you’ll have to pick your MDM and fill the MDM Agent APK and MDM Server URI fields. Click Continue.
    1. Profile Name – Enter an appropriate profile name to distinguish it from other profiles.
    2. Description (Optional) – Describe the profile in a maximum of 200 characters.
    3. MDM INFORMATION – Specify the MDM information for the profile. You can choose either of the options:
      1. Let MDM choose to enroll as a Device Owner or Profile Owner — This option enables you to configure Profile Owner enrollment settings for Android 10 and above devices.
        Note: Hexnode does not support out-of-box work profile creation via Profile Owner mode. Hence, the devices will be enrolled as Device Owner, even if the option ‘Let MDM choose to enroll as a Device Owner or Profile Owner’ is chosen.
      2. Force Device Owner Enrollment – When this option is selected, it displays the Android Enterprise profile settings screen for configuring a Device Owner supported enrollment profile on the device.
    4. Pick your MDM – Select a supported MDM. Select the option Mitsogo Hexnode MDM for Hexnode.
    5. MDM Agent APK – Provide URL to the APK that will be downloaded to your devices.The URL to the APK is autofilled on selecting Mitsogo Hexnode MDM

      Hexnode MDM APK: URL for enrolling devices with Hexnode MDM app.

      Hexnode for Work APK: URL for Android Enterprise Device Owner Enrollment

    6. MDM Server URI (optional) – Enter the MDM server URL of your Hexnode MDM portal to which the devices get enrolled. For example, ‘https://yourportal.hexnodemdm.com’.
    7. Custom JSON Data (as defined by MDM) – A custom configuration type (Java Script Object Notification format) can be defined here. MDM solution must be able to recognize this configuration. Hexnode doesn’t support this for now.
    8. Dual DAR – This is to secure KME data with two layers of encryption, even when the device is in an unauthenticated state or powered off. Once the option Enable Dual DAR, you can optionally select 3rd party crypto app and add package and signature.
    9. Disable system applications – Select this checkbox to ensure all apps are disabled and unavailable to the device owner supported profile.
    10. Leave all system apps enabled – Select this checkbox to ensure all apps are enabled and available to the device owner supported profile. If this option isn’t selected, only limited set of system apps display in the device’s apps tray.
    11. Privacy Policy, EULA and Terms of Service (Optional) – Add any End user license agreements, Terms of service or other user agreements that user must acknowledge before using the device. The Samsung Knox Privacy Policy is always shown. Click on Add legal agreement. Enter an Agreement title and Agreement text > Add.
    12. Company Name – Specify the MDM organization name displayed at the time of device enrollment.The field is autofilled with Mitsogo Inc. > Click Create.

You can edit an MDM profile any time by clicking on the profile name and delete the profile by selecting the profile and clicking Delete profile.

Add devices to your portal

  1. Sign in to your Knox Portal account.

There are two options by which you can add device information:

  • Reseller Devices – When a device is purchased from a reseller, they can automatically upload it to your account. The devices will appear in Devices > Uploads. For this, you must register your participating Samsung device reseller.
    1. Select Resellers option from the left-hand navigation menu.
    2. Click on Register reseller.
    3. Contact the reseller to obtain their Knox reseller id. Provide the Reseller ID and click on look up.
    4. From the list of results, select your reseller.
    5. Use the Setup a default profile for reseller devices option to provide a default profile to be assigned automatically to the devices purchased from this reseller.
    6. Upload approval preferences – Select your preferred upload approval process for this reseller’s uploads.
      • Approval needed for each upload – Review and approve each reseller upload separately
      • Automatically approve all uploads from this reseller – The device information uploaded by this reseller is automatically approved, both now and with future uploads.
    7. Click on Add.
  • Knox Deployment Application – To enroll devices not purchased from an approved reseller there is a Knox deployment application.
    Note:

    Only Samsung Knox devices running Knox 2.7.1 or higher can be enrolled thus.

    Steps:

    1. Download the Knox Deployment Application from the Google play store on any compatible device.Download from this link – Knox Deployment app
    2. Launch the app and sign in using the Knox portal username and password. When you log in for the first time a welcome screen will be displayed for assisting you.
    3. Click on Profile. All profiles will be listed, or you can select Knox Mobile Enrollment profiles in particular. Choose the profile you want to associate with your devices.
    4. Choose a Deployment mode. Here you have 3 options: Bluetooth, NFC or Wi-Fi direct.

      Bluetooth

      • Select Bluetooth as the device deployment mode.
      • Wi-Fi configuration – By configuring Wi-Fi for deployed devices, you can send a network configuration to the device so that it can connect the network.
        • Click on Wi-Fi for deployed devices > Allow.
        • Choose a network from the list or add one.
        • Type in the password and click OK.
        Note:

        Wi-Fi configuration will work only with gesture-based deployment on devices running Knox 3.2.

      • Click on Start deployment
      • Set the Bluetooth duration which is 30 minutes by default and check the Accept automatically option to automatically accept pairing requests from devices to be enrolled.
      • Click OK > Start Deployment.
      • Open https://me.samsungknox.com on the designated phone or tablet running Samsung Knox 2.7.1 or above to begin the profile assignment.
      • Follow the onscreen instructions and enroll the device.
      • Click on Finish deployment from the app.

      The device will be listed in the Knox portal with the tag Bluetooth.

      NFC

      • Select the Deployment mode as NFC and Configure Wi-Fi for deployed devices.
      • Click on Start deployment.
      • Turn on NFC and Android Beam in device settings.
      • Hold the admin phone and the phone to be enrolled back to back and tap your screen.
        • Note:

        Make sure that both the devices are NFC enabled and compatible.

      • Select Finish deployment once you are done.

      Wi-Fi Direct

      • Select Wi-Fi Direct as the Deployment mode.
      • Select Wi-Fi direct Setting : Choose whether the Wi-Fi direct connection is automatic or manual.
        • Accept manually : Requires the user to enter a generated PIN every time a connection is requested from an enrolling device.
          • Select Accept Manually from Select Wi-Fi setting.
          • Note down the PIN which is required for manual connection and tap Connect before the countdown expires.
          • An Accept sharing request screen appears prompting for the PIN before the countdown expires. Type the PIN and Click on Accept.
          • The enrollment information will be sent to the enrolling device via the newly established Wi-Fi direct connection.
          • Click on Finish deployment once it’s done.
        • Accept automatically : Automatically accept connection requests from enrolling device.
          • Select Accept automatically from Select Wi-Fi setting.
          • Tap Connect before the countdown expires.
          • The enrollment information will be sent to the enrolling device via the newly established Wi-Fi direct connection.
          • Click on Finish deployment once it’s done.

      Configure and assign devices to a profile

      To configure approved devices to a profile.

      1. Select Devices option from the left-hand navigation menu > Select All Devices tab.
      2. Check the required device(s) > Click on Actions > Configure Devices.
      3. The Device details screen appears. Fill the following fields:
        • Profile (single device selected) or Modify the MDM profile of selected devices (more than one device selected) – Assign an MDM profile to the device(s). There are two options from which you can choose.- Keep current profiles (available only when more than one device is selected) – Select to keep the existing profile assignment.- Clear profiles – Select this option to remove an already assigned profile.
        • Tags (single device selected) or Add tags to selected devices (more than one device selected) – Add tags to device(s) that allows you to organize and search for devices.
        • User id and Password (single device selected) – Enter a user id and password for the device.
        • User credentials (more than one device selected) – Choose user credentials for the devices. Choose any of these options: Keep current credentials – Use existing user credentials.- Clear user credentials – Choose to clear existing credentials.- Overwrite user credentials – Provide a new user id and password for the devices.
      4. Click Save > Refresh.

      The device status changes to profile assigned.

      To bulk configure devices.

      1. Select Devices option from the left-hand navigation menu > Select All Devices tab.
      2. Select necessary devices and download the device information as a CSV file. Modify the file by adding User ID information to the right of Device ID. You can also add passwords in the next column if needed.
      3. Click on Bulk Actions button at the bottom of the left-hand navigation menu.
      4. Select Bulk Configure.
      5. Upload the edited CSV file.
      6. You can Modify the MDM profile of the selected devices and overwrite existing tags if needed.
      7. Click Submit.

      How to add Device users to your KME portal?

      To add a new device user

      1. Select Device Users option from the left-hand navigation menu.
      2. Click add device users
      3. Enter User ID and Password > Click on Add.

      To edit and update the details of an already existing user

      1. Select Device Users option from the left-hand navigation menu.
      2. Click on the user and edit the details.
      3. Update the details > Save.

      You can remove an already existing user

      1. Select Device Users option from the left-hand navigation menu.
      2. Select the check box of the required device user.
      3. Go to Action > Delete Device Users.
      4. A pop-up arises. Select Delete.

      Importing a device user

      You can upload a group of user credentials to assign them to your devices in the future. To include user credentials in the device list, create a CSV file with one row (line) per device (with a maximum limit of 10,000 devices/rows).

      1. Select Device Users option from the left-hand navigation menu.
      2. Select the check box of the required device user.
      3. Click on Add Device Users and click add multiple device users.
      4. Refer the instructions for creating a CSV file. Select Got it when you are done reading the instructions.
      5. Upload the CSV file > Submit.

       

 

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Enrolling Devices
  • Managing Generic Android Devices