What is Knox Enrollment Service | KME Setup & Bypass
Is your company deploying a large number of devices and finding the enrollment process a bit challenging? Knox Enrollment Service simplifies bulk device setup, making it an essential tool for enterprises looking to save time and effort.
However, setting it up can be a little bit tricky. This article will provide an in-depth look at Knox Enrollment, outlining its key features and how it can transform your device management process.
1What is Knox Enrollment Service?
To explain the phrase, we need to understand how Samsung Knox works first. The using process can be summarized as enroll > configure > apply > monitor > update.
As you can see, the Knox platform is essentially based on the terminal-to-terminal connection, that draws support from the IoT technology. And, enrollment is the most essential step to build up the connection. That is to say, by enrolling devices, your Samsung phones or others can be bonded to the Samsung Knox platform so as to work on subsequent management tasks.
Therefore, when talking about Knox enrollment service, it refers to the initial step of deploying devices to Samsung Knox. Precisely, Knox enrollment service is the process and feature of binding Samsung devices to the Knox platform, and giving it certain access for management and monitoring during it.
The enrollment service involves another term - Samsung Knox Mobile Enrollment. Actually, the two are the same thing. It's just that Knox Mobile Enrollment (KME) is the official product name and a package of Knox Suite. It is best used for enrolling corporate-owned Samsung devices with automation.
2Processes of Bulk Device Enrollment with KME
Requirements
Samsung Knox Mobile Enrollment streamlines the setup of Samsung Galaxy devices across large organizations. To use the service, the devices must meet certain requirements:
- Samsung Galaxy with Knox version 3.0 or higher, and must be purchased from a reseller participating in the Knox Deployment Program.
- IT administrators are key in Knox Enrollment by creating and managing device profiles, including configuring settings and restrictions that can be applied to multiple devices.
- To facilitate the process, they work closely with approved resellers, who upload device IDs to the Knox Reseller Portal for integration into Knox Mobile Enrollment. These IDs allow for the automatic enrollment of devices when they power on and connect to a network, enabling secure, hands-free setup.
- For devices not purchased through a reseller, the Knox Deployment App can still be used to manually enroll them into the system.
How Does It Work?
Knox Mobile Enrollment (KME) simplifies the bulk enrollment of Samsung devices into enterprise mobility management (EMM) systems through an automated process.
- It starts with the IT administrator collaborating with a Samsung-approved reseller.
- The reseller uploads the device IDs of the purchased devices to the Knox Reseller Portal, ensuring that only verified devices are enrolled.
- Once the device list is uploaded, the IT admin receives a notification and approves the enrollment in the Knox Mobile Enrollment Portal.
- From there, the IT admin assigns a configuration profile to the devices, which includes: Specific settings, Restrictions, Apps that need to be preloaded.
- If reseller preferences are configured, future device uploads can be automatically approved and assigned profiles, further automating the process.
- Once the profile is assigned, the devices are enrolled into the EMM system. Users simply unbox their devices, and upon booting, the configurations are automatically applied without any manual input required, ensuring a seamless user experience.
How to Use Knox Enrollment Service? (Full Guide)
Knox Enrollment Service is available to enroll Samsung smartphones, phablets, tablets, rugged devices, and wearable devices.
Step 1 : Sign up for Knox Mobile Enrollment and access the admin console.
If you're completely new to Samsung Knox, you should get a Samsung account first. You can get one via this link.
Then, use your account to log into the Samsung Knox Admin Portal so that to further access Knox Mobile Enrollment. Here is the official entrance: Knox Admin Portal.
Step 2 : Create a profile with MDM/EMM details to configure out-of-box device settings.
On the left navigation bar, you can see Knox Mobile Enrollment. Drop it down and click 'Profiles' > 'CREATE PROFILE'.
You need to select profile types between 'ANDROID ENTERPRISE' and 'ANDROID ENTERPRISE (ADVANCED)'.
Both are methods to obtain enrollment and management permissions for devices but with differences in features. The advanced type has more controls for locking, such as auto-lock, remote lock, or unlock.
Next, complete the profile details after selecting a type. You need to fill in three EMM information:
- Pick your EMM: choose a software name in the droplist.
- EMM Agent APK: add an APK which is the supporting component of EMM and install it on enrolled devices automatically.
- EMM Server URI: it's used to download specific device configurations that bring by your picked EMM.
Now you will come to the Android Enterprise profile settings page.
There are two boards - EMM CONFIGURATION and DEVICE SETTINGS. For the former, contact your EMM solution to get the JSON data and certificates. As for 'QR code for enrollment', please note that it's only for Android 10+ devices. The latter, in device settings, you can choose to disable or enable system apps. The 'Android Legacy admin profile' is not a necessary option, just add it if needed.
Step 3 : Add a reseller so that to upload your purchased devices info automatically.
Go to the 'Resellers' menu and click 'REGISTER RESELLER.'
In the screen, a Reseller ID is needed. Contact your reseller to get it. Also, you should provide your customer ID to him.
The reseller ID is 10 digits in length typically. After entering, continue setting up Manage reseller preferences based on your needs, such as auto approve all devices uploaded by this reseller, and auto assign profile to devices uploaded by this reseller.
Step 4 : Add a device user in order to create credential for your employee.
In 'Device Users', click 'ADD DEVICE USERS' to set up User ID and the corresponding password. You can also add in bulk by importing a CSV file.
This info will be used for device configuration in the next step.
Source: docs.samsungknox.com
Step 5 : Configure devices individually or in bulk
Go to 'Devices' to view device lists.
Please follow these steps if you have not set up automatic operations in the processes mentioned above:
- 1) Tick the checkbox in front of the IMEI/MEID number. You're able to operate multiple devices at once by ticking selected devices.
- 2) Click the 'ACTION' button and select 'Configure devices'.
- 3) In the popup window, choose a profile that you want to apply on the devices as well as User credentials.
- 4) Click 'SAVE' when all are configured.
Tips to configure mass devices:
- 1) Go to 'BULK ACTIONS' and click 'ASSIGN USER CREDENTIALS AND PROFILE.'
- 2) Then on the Bulk Configure page, upload the CSV file with device IDs, user IDs, and passwords. Next, click 'SUBMIT.'
Step 6 : Power on the device to complete device enrollment
After the Samsung device has been shipped to your employee, there is still one final step left. The IT admin can guide the employee to finish Knox Mobile Enrollment:
- 1) Turn on the device and connect to WiFi.
- 2) Tap 'Continue' on screen, and then 'Next' for agreement.
- 3) Enter the assigned User ID and Password, and tap 'Confirm.'
The device will automatically enroll to the MDM/EMM platform and run the configured profile, for example, auto-install apps and set up system settings.
3Advantages, Limitations and Results of Using KME
Advantages
- KME simplifies the bulk enrollment process by automating device setup, removing the need for manual configuration. IT administrators no longer need to handle each device individually, as KME allows them to push specific configurations, policies, and settings to all devices at once.
- It reduces wasted time, especially for large organizations managing hundreds or thousands of devices. Security is another major plus, as the system ensures devices are enrolled, configured, and brought under control as soon as they power on and connect to the network.
- Most importantly, it reduces the risk of misconfigured devices being used in an unsecured state, offering enhanced protection for sensitive company data.
Limitations
- First, it only supports Samsung Galaxy devices running Knox version 3.0 or higher/Android 8.0 or higher, limiting compatibility for organizations using a diverse range of devices.
- While the system simplifies device deployment in the long run, the initial setup can be complex, requiring careful planning and coordination between IT administrators and resellers.
AirDroid Business - MDM Supports Zero-Touch Enrollment
AirDroid Business is a device management solution that can be used to enroll, manage, secure and monitor large fleet devices. With the centralized platform, organizations are able to deploy smartphones, tablets, rugged devices and others easily. It provides multiple flexible enrollment methods. And it's available for Cloud Deployment & On-Premises Deployment.
4Comparing Different Enrollment Methods
Let's dive into the nitty-gritty of Android enrollment methods and see how they stack up for enterprise deployment:
Other enrollment methods
- Zero-Touch Enrollment: An effective method to enroll devices in bulk without manual device manipulation.
- Device Owner(DO) Enrollment: An enrollment method which allows MDM to gain full control over your devices by obtaining Device Owner permission.
- Quick-Deploy Installation Package: Devices can install the MDM client package with a single click, eliminating the need for individual device operation.
Comparison Table
| Setup Process | Ecosystem | Supported Devices | Security Level | |
|---|---|---|---|---|
| Knox Mobile Enrollment | Full-automatic | Samsung | Samsung devices that are running Knox version 3.0 or higher and purchased from a reseller participating in the Knox Deployment Program. | ⭐⭐⭐Basic security functions |
| Zero-touch Enrollment | Full-automatic | A device running Android Pie (9.0) or later*, a compatible device running Android Oreo (8.0), or a Pixel phone with Android Nougat (7.0), purchased from a reseller partner | ⭐⭐⭐Basic security functions | |
| DO Enrollment | Semi-automatic | Android | Android 7.0 or above | ⭐⭐⭐⭐⭐Broader device control and security policies |
| Quick-deploy Installation Package | Semi-automatic | Android | Android 4.0 or above | ⭐⭐⭐Basic security functions |
Note:
- Full-automatic methods like KME and ZTE are the holy grail of efficiency. Imagine dropping a device on an end user's desk, and it's already provisioned and ready to go. No manual config, no headaches.
- Semi-automatic methods, like DO Enrollment and Quick-deploy Packages, require users to complete some configurations during the initial setup. However, subsequent configurations can be efficiently managed in bulk by IT personnel through the MDM dashboard.
- In terms of device support, the ranking is: Quick-deploy Installation Package>DO>Zero-touch>KME.
Best For
KME, while limited to Samsung devices with Knox, excels in environments standardized on this platform. For Samsung-centric environments requiring rapid, large-scale deployment, KME is the optimal choice.
Zero-touch enrollment is well-suited for modern Android environments, offering a good balance of compatibility and ease of use for current-generation devices. Organizations managing a diverse fleet of newer Android devices should consider Zero-touch enrollment.
DO Enrollment provides comprehensive device support coupled with advanced security features, appealing to organizations with stringent compliance requirements. High-security environments demanding granular control and robust compliance measures should prioritize DO Enrollment.
Quick-deploy Installation Package offers the broadest support, particularly for legacy Android devices, making it an invaluable tool for organizations with diverse device ecosystems. Enterprises supporting a wide range of Android versions will benefit from the versatility of Quick-deploy Installation Packages.
Each method has its sweet spot. It's all about aligning with your infrastructure, security requirements, and operational workflow.
5How To Remove Knox Enrollment Service?
Removing KME can be a bit tricky since it's designed to keep devices managed under organizational control. There are two main methods to go about this: the official way through Samsung and a riskier route involving third-party tools.
Method 1: Official Removal Process
Remove Device from EMM/MDM Admin Console: The first step is contacting your IT administrator to remove the device from the organization's EMM (Enterprise Mobility Management) or MDM (Mobile Device Management) system. This will deregister the device and lift the Knox management policies.
Access the Samsung Knox Portal: Next, the administrator will log in to the Samsung Knox Portal and complete the removal process from the Knox system. This will free up the device from any restrictions tied to the organization.
Factory Reset the Device: Once unenrolled, perform a factory reset to remove any remaining traces of Knox policies. After the reset, the device should be clean, without organizational restrictions.
Method 2: Using Third-Party Tools
Some third-party tools claim they can bypass Knox lock(often use technology that forcibly trigger a factory reset), which may seem like a workaround. However, in most cases, Knox-enrolled devices will still be under organizational control after the reset, due to built-in security features.
Given the risks, we strongly advise against using these tools. Sticking with the official method is always the safest and most reliable route:
If the bypass fails, your device could become permanently locked or even bricked.
The results are often unpredictable and may void your device's warranty or render it unusable.
You May Be Interested
Knox Mobile Enrollment integrates with several MDM/EMM solutions to streamline device management. Compatible partners include:VMware AirWatch, BlackBerry UEM, Citrix Endpoint Management, Samsung Knox Manage, IBM MaaS360, MobileIron MDM, SOTI MobiControl, Microsoft Intune, 7P EMM.
Knox Deployment app is a mobile app to enroll non-eligible-for-KME Samsung phones and tablets in Knox Manage or Knox Configure. It has three enrollment methods - NFC deployment, Bluetooth deployment, and Wi-Fi Direct deployment. To use the app, you need to have it installed on an IT admin's device and use a Samsung Knox Admin Portal account.
Knox Mobile Enrollment Direct is an on-premise software to install on a laptop or PC running Windows 10. KME and KME Direct are the same in function. It's just that KME Direct requires more steps on the setup.
Free. You don't have to pay to use the Samsung enrollment services. Moreover, no license is required.
As you can see some other Knox Suite tools, like Knox Manage and Knox Platform for Enterprise, will require a license, which you need to purchase so to get the right of use for the service. But Knox Mobile Enrollment is allowed to use all features without a license.
Leave a Reply.