Radha Kiwalkar

October 12, 2021

Samsung Knox Mobile Enrollment was originally created to address Bring Your Own Devices (BYOD) use cases for IT departments. It does a fine job at it, but it does beg the question: is it useful for companies running Samsung-based dedicated device fleets? ICYMI Samsung Knox is a Samsung-specific mobile security platform spanning device to cloud. It ships built into most, but not all, of Samsung’s Android-based smartphones and tablets.

In the previous blog, A Tour of the Many Android Provisioning Options Available on Esper, we discussed the various device enrollment methods. Along with the traditional GMS-based provisioning methods, we also support Google Zero-touch Enrollment (ZTE) and Samsung Knox Mobile Enrollment (KME). This blog will discuss KME and the use case to provision a group of devices using Knox Mobile Enrollment.

What is Samsung Knox?

Samsung Knox, part of the Knox suite, is a combination of a security platform and cloud solution. Knox is an infrastructure for device management built into the operating system on qualified devices, along with a secure environment to manage corporate-owned devices. Knox provides control and monitoring of only Samsung devices.

Samsung Knox platform exposes a set of APIs that allows the end-user to manipulate their devices more granularly — turn off the power button so it does not function, changing how the volume controls, etc. Knox provides its own enrolling method Knox Mobile Enrollment (KME). 

What is Samsung Knox Mobile Enrollment?

Similar to Google Zero-touch Enrollment, Knox Mobile Enrollment is a provisioning method offered by Samsung for its devices. Upon first boot or factory reset, KME forces  Samsung devices to enroll into Esper. Once you have registered for the Knox Mobile Enrollment, you can access the Knox Mobile Enrollment console through your Knox Portal dashboard.

According to the Samsung documentation, the following are the prerequisites for using KME:

  • Have a Samsung account and a Samsung Knox account.
  • Devices run Knox version 2.6 or higher.
  • MDM solution provider that supports KME — Esper does!
  • KME Console supported browser and some firewall exemptions to securely connect to the Knox Mobile Enrollment server.

To enable Knox Mobile Enrollment on a Samsung device, you need to upload the serial numbers or IMEIs (International Mobile Equipment Identity) of the devices you wish to provision using KME. 

Supporting the key features of Google Zero-touch Enrollment, KME also has the capability to set up a profile type— an Android Enterprise or a Device Admin. We recommend using the Android Enterprise permissions since the Esper agent takes care of establishing device admin permissions. Following are the two KME methods: 

  1. KME QR method — allows users to skip having to enter Wi-Fi credentials. After accepting a few license agreements, the provisioning process will begin.
  2. Standard KME — users must manually enter WiFi credentials and agree to a few license agreements for the device to retrieve the profile to start provisioning.

Why use Samsung KME for Dedicated Device Fleets?

KME ensures the device can’t somehow be factory reset and used for another purpose. It can be helpful when devices are drop-shipped to their deployment location – it is simple enough that most local personnel can quickly get the device through the provisioning process and the provisioning configuration is determined and controlled through the Esper Cloud. For some staging situations, it may be more time-efficient compared to other provisioning methods, but it’s always advised to time study the Android Enterprise methods for your onboarding – including 6-tap QR code – to see which is best for your situation. There’s no extra cost to use KME if you have supported Samsung devices, but the drawback – it’s Samsung specific.

How to enroll Samsung devices on Esper using Knox Mobile Enrollment?

Provisioning a device to the Esper platform using KME is a 2-step process — uploading the device IMEI/Serial numbers to Knox and then configuring Knox using a downloaded file from Esper for the appropriate Esper Provisioning Template. 

  1. Open your Knox console and enter the IMEI/Serial number for all devices that need to be provisioned. You can write a CSV file to upload the device information. Once the devices are verified, they will be available to use for the Samsung Knox configuration. 

Note: The devices can be used only in one Samsung Knox portal at a time. You will get an error if the serial number is already assigned to a different Knox account.

  1. In the Knox Mobile Enrollment portal, you can view the devices added in step 1. Then, you can configure the devices to use on the Esper platform by creating a profile. To create a profile — under the MDM Profile, you can use Android Enterprise permissions to create a profile based on the Esper endpoint. Please contact us for the Google Play store MDM link. Next, you need to provide the Esper Provisioning Template information for the device to use to provision when it turns ON. This code for the custom JSON data is available on the Esper Console – go to your desired Provisioning Template tile, select the ellipsis drop-down, and click on Download Config. Open the file and copy the JSON code block under ADMIN_EXTRA_BUNDLE.  

Assign the created profile to the devices you want to provision — under the Devices tab in the KME portal, check the devices you wish to migrate, and select “Configure Devices” under Actions. Select the MDM Profile created in the previous steps and click Save.

And that’s it! Now when the device boots after factory reset, it checks for updates and recognizes Knox Mobile enrollment, and locks the device with the specified MDM/EMM — in this case, Esper. No QR-code scan is needed unless you need an easier way to enter Wi-Fi credentials. 

As an automated enrollment process, Samsung Knox Mobile Enrollment allows for bulk provisioning and pre-configuring the device fleet. The profile remains on the device even after a factory reset. So if the device is stolen, it cannot be repurposed and is locked to the Esper profile. It’s also a great way to efficiently move from other device management systems, including Knox, to Esper. With success stories from Esper customers onboarding thousands of devices using Samsung Knox Mobile Enrollment, get in touch with us today to onboard your large number of devices.