This blog post explores how we can use Samsung KME with Microsoft Intune for Android Enterprise device provisioning and enforce MDM enrolment right out of the box.
This is a continuation of the MEM Android series with Joy and below I have listed all the previous posts of this series for your quick reference. Post #1 – Evolution of Android management for Enterprise use Post #2 – 9 myths regarding the use of Android in Enterprise Post #3 – Android Enterprise: An ultimate use-case guide for the different enrolment options Post #4 - Android Enterprise Work Profile management with MEM Intune – Facts You Should Know Post #5 - Behind The Scenes: Android Enterprise Work Profile Provisioning with Intune Post #6 - Getting started with Samsung Knox Mobile Enrolment
So let’s get started.
Table of Contents
Pre-requisites
- Access to Samsung KME web portal. [Check my previous blog on Getting started with Samsung KME]
- Microsoft Intune tenant. [configured to support Android Enterprise]
- Samsung devices with Knox version 2.8 or higher to support Android Enterprise enrollment.
Create Enrollment Token in Intune
Before you configure enrollment profile, you need to prepare Intune to support Android Enterprise devices, which is essentially
- check if your MEM Intune tenant is actively bound with Managed Google Play.
- check Enrollment Restriction does not block Android Enterprise enrollment.
You can now create an enrollment token in MEM Intune for any of the three available corporate-owned Android Enrolment scenarios that you are working with.
Here I have chosen to create an enrollment token for Corporate-owned devices with work profile.
Keep a note of this Enrollment Token as you will need this later to configure the MDM Profile in Samsung KME.
Create MDM Profile in Samsung KME
On the Samsung KME portal, from the left side navigation menu,
- Click on MDM Profile and then click on Create Profile. You will get the below screen.
- Select the Android Enterprise option. You will be presented with the below screen.
- Fill in the Profile Name.
- From under MDM Information choose Let MDM choose to enroll as a Device Owner or Profile Owner.
- From Pick your MDM, use the drop-down list and select Microsoft Intune.
- Click on Continue and you will be redirected to the below screen.
- Under MDM Configuration is where you need to enter the custom JSON data that is supported by your MDM vendor.
For Intune, you can refer to this document and build the custom JSON data that contains the Intune Device Enrollment Token.
{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"Your Token"}
- Under Device Settings, you can choose to either Disable system apps or Leave system apps enabled. You also need to define Company Name.
Note: To learn more about the other Profile configuration settings (e.g. Enable Dual DAR, QR code enrollment, Root/intermediate certificate, etc.), see the detailed Samsung's instruction for creating an MDM profile.
- Click on Create and the profile gets created.
The newly created profile will be listed with other existing MDM profiles.
If you have reseller(s) registered, you can optionally use the Manage Reseller preferences option to auto-approve device uploads and automatically assign MDM profile to the devices uploaded by a particular reseller.
Ensure MDM profile is Assigned to the device in Samsung KME portal
On the KME portal, navigate to Devices > All Devices and you should see the approved reseller uploaded devices here.
If you have used the Manage Reseller preferences option to auto-approve device uploads and automatically assign MDM profile to the devices uploaded by reseller(s), the devices should show the name of the MDM profile that is assigned and the status should reflect as profile assigned.
In our case, the device in context was previously added to KME using the KDA method and I have cleared the assigned profile so as to show the current profile state as Unassigned. This is exactly how you would find the device in KME if you have not configured it to automatically assign an MDM profile using the Manage Reseller preferences.
To assign an MDM profile to the device, you need to select the device in context and click on Actions and then click on the Configure devices option.
From the flyout pane that comes out from the right, you can assign any existing MDM profile of your choice to the device.
Once an MDM profile is assigned, it shows the name of the MDM profile that is assigned along with the device Status that reflects as Profile assigned.
Once the device completes provisioning, the device Status reflects the type of enrollment the device is currently provisioned as.
As a side note, Samsung KNOX documentation shows that a device can have the following states through the workflows.
End-User Experience
End-user starts the device out-of-box (or if existing device, then post a device reset), gets the usual initial device setup experience which begins with the Welcome screen.
As the user taps on Start to begin the device setup, the user is prompted to either connect to Wi-Fi (if available) or continue with Mobile data. Note that the device shows that it is protected by Knox Cloud Service. Once the device is connected to a network, or if the user chooses to continue with Mobile data, the device lands up showing the screen that states the device belongs to your organization.
As the user taps on Next to continue with the device setup, the provisioning goes as usual as per the enrollment type and the user just needs to follow the on-screen guide to complete the setup.
Wrap Up
I have tried all the three corporate-owned enrollment scenarios of Android Enterprise with Samsung KME and Microsoft Intune and have not faced any issues during the tests.
Samsung KME, for long, has been a robust service that have helped enterprises enforce MDM enrollment out-of-box for supported Samsung android devices. However, did you know that Google has also expanded the availability of Google Zero Touch which now supports all Android 9.0+ devices, including Samsung. Read more here.
Well, that was all for today.
Joymalya Basu Roy is an Indian IT professional with around 6.5 years of work experience in IT Software Support and Services. Having completed his B.Tech in Computer Science and Engineering back in 2015, he is 30 years old as of 2022, ethnolinguistically a Bengali, and hails from the Indian city of Kolkata, West Bengal. Presently associated with Atos as a Senior Consultant – Architect, he works in Digital Workplace T&T projects leading the build & deployment, adoption, and support of Microsoft Intune across greenfield/brownfield environments for Android/iOS/Windows. He is also honored to be recognized as a Microsoft MVP for Enterprise Mobility – 2021 and 2022-23.
