If you want to enforce MDM enrollment out-of-box for android devices, you only have two options
- Samsung Knox Mobile Enrolment (only for supported Samsung devices)
- Google Zero Touch (for compatible devices purchased directly from select enterprise reseller or Google partner)
This blog post aims to help you in getting started with the Samsung Knox Mobile Enrolment (KME) service.
This is a continuation of the MEM Android series with Joy and below I have listed all the previous posts of this series for your quick reference. Post #1 – Evolution of Android management for Enterprise use Post #2 – 9 myths regarding the use of Android in Enterprise Post #3 – Android Enterprise: An ultimate use-case guide for the different management modes available with Intune Post #4 - Android Enterprise Work Profile management with MEM Intune – Facts You Should Know Post #5 - Behind The Scenes: Android Enterprise Work Profile Provisioning with Intune
Table of Contents
An Introduction to Samsung Knox Mobile Enrolment (KME)
The Samsung Knox Mobile Enrolment (KME) is a free service offered by Samsung as part of its Knox Solutions portfolio that helps to streamline bulk provisioning of corporate-owned Knox supported Samsung devices and enforce MDM enrollment on initial device setup.
Do note that availability of service is restricted to the following supported locations only.
Samsung Android devices running Knox version 2.4 or above are supported for provisioning via Samsung KME service. However, Android Enterprise enrollment scenarios require devices to be running KNOX version 2.8 or above.
Samsung KME supports all the major UEM/MDM products like Microsoft Endpoint Manager (Microsoft Intune), Workspace One, Citrix Endpoint Management, etc. The below image shows the Samsung KME support matrix for supported features with the different MDM/UEM partners.
If device provisioning will take place using the intranet, you need to ensure that the Samsung Knox services endpoints are not getting blocked by the firewall. The required ports and URLs are well documented here.
Want to try out Knox Mobile Enrolment service? All you need to do is register (free) with a work email account (or an existing or new Samsung Account associated with your company).
Getting started with Samsung Knox Mobile Enrolment (KME)
Once you complete the registration for KME, you will land upon the Samsung Knox Dashboard as shown below.
Samsung Knox portfolio offers a range of different solutions like
but for the purpose of this blog, we will focus on the Knox Mobile Enrollment solution.
As such, you need to go ahead and click on the TRY FOR FREE button corresponding to the Knox Mobile Enrolment solution on the Samsung Knox dashboard (web portal). You will be prompted to accept the T&Cs of the KME service and once you provide consent to the same, you should be returned to the screen as below.
Activation of the service requires some time and is not instant.
Note that the button for the KME solution is now greyed out and shows as PENDING. Once the service is activated for your account, log in to the Samsung Knox web portal and you will see that the button corresponding to Knox Mobile Enrollment solution has changed from PENDING to LAUNCH.
Click on the same and you will now be taken to the Samsun KME web portal as shown below.
A quick tour of the Samsung Knox Mobile Enrolment (KME) portal
The Samsung KME portal is very simple to navigate with the menu on the left side of the screen.
Devices
This screen is where you will find devices uploaded/added to KME service with their enrollment status.
You also have the BULK ACTIONS when you are dealing with a large number of devices. Each BULK CONFIGURE, BULK DELETE and BULK ASSIGNMENT option has a View instructions link that can be selected for detailed instructions on preparing a properly formatted CSV file and uploading it into KME.
MDM Profiles
This screen is from where you can create new MDM profile and also view the existing MDM profiles along with the status for each.
For further information on creating MDM profiles in Samsung KME, refer Samsung's documentation.
Resellers
This screen is where you can add your Reseller so that they can upload devices on your behalf. If you have resellers registered, this screen shows each reseller, their ID, default profile, and upload approval preference.
With the Auto Assign Preferences, you can configure to auto-approve device uploads from a specific reseller and auto-assign a specific MDM profile to those devices.
Device Users
This screen is where you can add/assign Users to the devices added to Samsung KME to streamline device provisioning.
For further information about Device Users, refer Samsung's documentation.
Administrators & Roles
This screen is where you can invite and manage other users to add them as admins and perform RBAC activities.
For further information on how to add/manage Admins in Samsung KME, refer Samsung's documentation.
Activity Log
This screen shows activities as performed by administrator(s) and/or reseller(s).
Adding Device to Samsung KME service
You can register Samsung-approved reseller(s) using the Reseller ID so as to enable your reseller to upload devices on behalf of the organization.
Once you have a reseller registered, you can choose to configure auto-approval for the registered reseller to automatically approve device uploads and also choose an MDM profile to automatically assign to devices that are uploaded by the reseller.
You can have multiple resellers registered and choose to auto-deploy unique MDM profile to the devices uploaded by different resellers.
Does this work with only devices purchased from a Samsung-approved reseller?
Not exactly. You can add existing Knox compatible Samsung device to the Samsung KME service using the Knox Deployment App available in the Google Play store.
How it works is like this, an Admin installs the Knox Deployment App on a Samsung device which then acts as the primary device that is used to enroll supported Samsung devices into KME directly, using either NFC, Bluetooth, or Wi-Fi Direct methods.
Note that the device running the Knox Deployment App does not gets added to Samsung KME. It merely acts as a trigger to add other compatible Samsung devices to Samsung KME and broadcast the enrollment profile to those devices.
Ensure you sign-in to the Knox Deployment application with the Samsung Account that is associated with the Samsung KME service.
The account must have the following permissions set
- Manage devices (at least Assign with profile and manage tags)
- Allow access to Knox Deployment application enabled
Though using the Knox Deployment app (KDA) to add existing devices to the Samsung KME comes in handy and useful for test purposes, since this method is a manual work, cannot be actually recommended for bulk device provisioning.
Other than using the Knox Deployment application to add/provision existing devices to Samsung KME, you can also optionally choose to create QR code for the MDM profile that you can use to trigger device registration to KME and provision the device.
If you have not created a QR code during the profile creation, you can add QR code to any existing MDM profile later as well, by editing the MDM profile.
The QR Code configuration has this particular setting “Also allows QR code enrollment or devices not uploaded by a reseller” which you can make use of to enroll existing devices using Samsung KME from device initial setup.
However, personally I don’t see any value in using this method, in the sense, if I as an end-user have to scan a QR code to start device provisioning, then why not use the QR code that is generated by Intune for the enrollment token.
Use Knox Deployment app to add existing device to Samsung KME and assign MDM profile
As an Admin, you can Install the Knox Deployment app from the Google Play store on any Samsung Android device that you would wish to act as the primary device. You then need to launch the app and sign-in using the Samsung account associated with the Samsung KME.
For me, I had to sign-in to Samsung account on the device and then launch the app for it to take the sign-in.
Once signed-in on the app, you would come up to the below screen. Tap on Profile and it opens a new screen that lists all the MDM profiles configured in the Samsung KME portal. Choose the MDM profile that you would want to use, and it returns back to the initial screen.
Next is to choose the deployment mode – either NFC, Bluetooth, or Wi-Fi direct.
The choice really depends on the device support for the protocols that the methods use. As you can see from the below snap, the device I set up as the primary device does not have support for NFC. As such when I tap on Deployment mode to choose a method, I am only shown Bluetooth or Wi-Fi direct.
Note that the deployment mode you choose, the device that you would be enrolling must support that method. For example, if my primary device has NFC support and I choose NFC as the deployment mode, but the user device do not have NFC support, it won’t work.
Note that you can also configure Wi-Fi information for deployed devices to use during the provisioning stage.
Once you are done with choosing the MDM profile and the Deployment mode, click on START DEPLOYMENT to start provisioning user devices.
Till this, it was the primary device that is equipped with the Knox Deployment app. Let’s now see what needs to be performed on the target device to complete the deployment.
On the target device that you want to register to KME and provision, you need to
- Ensure the device is running supported Knox version. [Knox version 2.8 or higher to support Android Enterprise enrolment scenarios]
- Open a browser and navigate to https://me.samsungknox.com and click on Enroll button.
- The device will momentarily check to see if there is any update available for Knox and will come to the Enrol screen. Click on Next.
- You will now be shown the Organization details to which the device will be enforced. Click on Next.
- Accept the T&C of Knox and click on Next.
- Final step is when you will be asked to RESET the device.
This marks the end of a successful deployment when you go back to the Admin/Primary device and click on FINISH DEPLOYMENT.
Upon completing the RESET action, MDM enrollment is enforced on initial setup and the target device goes through the standard Android Enterprise provisioning.
To be contd.
I will keep it till this for today.
The next post will focus on how you can use Samsung KME with Microsoft Intune a.k.a Microsoft Endpoint Manager to provision supported Samsung android devices.
Additional Resources
