To get started, Mobile Enrollment requires at least one set of credentials to enroll devices with. Every device in Knox Mobile Enrollment is required to be associated with user credential. The credentials can be both Basic or Directory. Staging users are also supported for both single users and multi user staging. Single user staging supports both standard and advanced staging.

For more details on how to create staging users, see Stage a Single-User Device and Stage a Multi-User Device.

Setting up the Knox Mobile Enrollment Console

The Knox Mobile Enrollment Console is available as part of the Knox web account. From here, you will be able to add devices and associate them with the enrollment settings that will be applied to the device. To get to the Knox Mobile Enrollment console, log into to https://www.samsungknox.com and select Launch Mobile Enrollment to get started.

Pasted image at 2017_05_09 11_52 AM

The basic steps in setting up Knox Mobile Enrollment are:

  1. Create an MDM profile.
  2. Enter IMEIs or serial numbers of the devices to be enrolled. The devices are ready to enroll after Samsung validates device info (background) status will show in the status field. Once it says ready to enroll, turn on device from factory state.
  3. Associate each device with user credentials for enrollment.
  4. Instruct users to accept the prompt to enroll devices.

Creating an MDM Profile

Before you begin enrolling devices, you must create an MDM profile with the AirWatch Agent and Samsung ELM Service and AirWatch Console tenant information. When you use Knox Device Mobile Enrollment for the first time, you are automatically directed to the MDM profile creation page.

The first thing required will be the URL of the console in which your devices will be enrolling into. This will be entered for the MDM Server URI value. The MDM Server URI can either be https://consoleservername.com or deviceservicesservername.com. The https:// format is only included if you are using a console server. If you are using a Device Services URI, you do not have to include the HTTPS:// or HTTP:// protocol in the field.

bulkenroll_2

Once that has been entered, you will be prompted to enter a Profile Name and Description. This will help distinguish different profiles that may be associated with different devices.

bulkenroll_3

Next, add links to the APK required for enrollment. This will be the AirWatch Agent and the Samsung ELM Service applications. These will be downloaded without requiring end user interaction to accept the install. Additionally, you may send down other applications as well. The primary APK, which is the AirWatch Agent, must be selected as the one managing Knox on the device.

MDM Agent APK URL: https://discovery.awmdm.com/mobileenrollment/airwatchagent.apk

ELM App APK URL: https://discovery.awmdm.com/mobileenrollment/samsungelmservice.apk

bulkenroll_4

Next, the custom JSON data is where you can configure what Organization Group in the console’s architectural hierarchy the device will enroll into. The format being adhered to is {“groupid”:”groupname”} . This is the only JSON Data required for enrollment.

bulkenroll5

Lastly, you can configure an End User License Agreement (EULA) that should be accepted before beginning enrollment. This EULA will supercede the EULA set down from the console as part of the enrollment process.

bulkenroll_6

Once a profile is created, it can be edited from the Knox Mobile Enrollment Portal. 7

Adding Devices and Credentials

The devices are uploaded in a .CSV format containing the following information:

  • IMEI or serial number
  • Username
  • Password

Any additional information can be added into the fourth column if required. 8

The required format is also provided for reference as is a template to follow.

9

Once the devices have been uploaded, you can assign an MDM profile to the list of devices you are adding. The devices have now been added, and you will be able to see which devices are associated with which profile.

10

The Knox Mobile Enrollment tool verifies your purchase details to ensure that each device is enrolled in the proper enterprise. Along with the device information, you must provide purchase details including:

  • Name of the reseller
  • Contact information of the reseller
  • Customer or Invoice ID so your reseller can recognize the transaction.

After submitting the devices, you will receive an email with a rejection reason if some of the devices are rejected. After correcting any errors, resubmit the devices. If the devices are accepted, they are queued for verification once Samsung receives the device list and purchase information from carriers and distributor. Should there be delays, please escalate to your Samsung Representative. Only Samsung Knox 2.4+ and TIMA-enabled devices are supported out of the box by the Samsung Knox Mobile Enrollment tool. Devices also have to be connected to Wi-Fi and end users must agree to download and install the MDM agent in order for the device to successfully enroll in the enterprise.