To prepare for Samsung Knox Mobile, determing you enrollment type, setup user credentials, configure the Knox Mobile Enrollment Console, and create MDM profiles to deploy and configure device.

Enrollment Types

There are several ways to enroll devices for Knox Mobile Enrollment including: fully automatic enrollment, staging enrollment, end users authenticate with existing corporate credentials, or token enrollment. Both Android Work Managed and Android (Legacy) enrollment are supported.

Users enrolling with user credentials will enter their username and password when prompted from the device.

Simplify device enrollment with token enrollment instead of user credentials. Send end users a unique token to enroll their devices into AirWatch.

Setting up Enrollment Credentials from the Workspace One UEM console

To get started, Mobile Enrollment requires at least one set of credentials to enroll devices with. Every device in Knox Mobile Enrollment is required to be associated with user credential. The credentials can be both Basic or Directory. Staging users are also supported for both single users and multi user staging. Single user staging supports both standard and advanced staging. Standard staging user need to sign in to

Setting up the Knox Mobile Enrollment Console

The Knox Mobile Enrollment Console is available as part of the Knox web account. From here, you will be able to add devices and associate them with the enrollment settings that will be applied to the device. To get to the Knox Mobile Enrollment console, log into to https://www.samsungknox.com and select Launch Mobile Enrollment to get started.

The basic steps in setting up Knox Mobile Enrollment are:
  1. Create an MDM profile.
  2. Enter IMEIs or serial numbers of the devices to be enrolled. The devices are ready to enroll after Samsung validates device info (background) status will show in the status field. Once it says ready to enroll, turn on device from factory state.
  3. Associate each device with user credentials for enrollment.
  4. Instruct users to accept the prompt to enroll devices.

Creating an MDM Profile

Before you begin enrolling devices, you must create an MDM profile with the Workspace ONE Intelligent Hub and Samsung ELM Service and Workspace ONE UEM console tenant information. When you use Knox Mobile Enrollment for the first time, you are automatically directed to the MDM profile creation page.

The first thing required will be the URL of the console in which your devices will be enrolling into. This will be entered for the MDM Server URI value. The MDM Server URI can either be https://consoleservername.com or deviceservicesservername.com. The https:// format is only included if you are using a console server. If you are using a Device Services URI, you do not have to include the HTTPS:// or HTTP:// protocol in the field.

Once that has been entered, you will be prompted to enter a Profile Name and Description. This will help distinguish different profiles that may be associated with different devices.

Next, add links to the APK required for enrollment. This will be the Workspace ONE Intelligent Hub and the Samsung ELM Service applications. These will be downloaded without requiring end user interaction to accept the install. Additionally, you may send down other applications as well. The primary APK, which is the Workspace ONE Intelligent Hub, must be selected as the one managing Knox on the device.

MDM Hub APK URL: https://discovery.awmdm.com/mobileenrollment/airwatchagent.apk

ELM App APK URL: https://discovery.awmdm.com/mobileenrollment/samsungelmservice.apk

Next, the custom JSON data is where you can configure what Organization Group in the console’s architectural hierarchy the device will enroll into. The format being adhered to is {“groupid”:”groupname”} . This is the only JSON Data required for enrollment.

Lastly, you can configure an End User License Agreement (EULA) that should be accepted before beginning enrollment. This EULA will supercede the EULA set down from the console as part of the enrollment process.

Once a profile is created, it can be edited from the Knox Mobile Enrollment Portal.

Adding Devices and Credentials

The devices are uploaded in a .CSV format containing the following information:

  • IMEI or serial number
  • Username
  • Password

Any additional information can be added into the fourth column if required.

Knox Mobile Enrollment supports Token- Based enrollment where Workspace ONE UEMgenerates a token that is used to enroll devices instead of users entering username and password when prompted during device enrollment. Simply leave the Username and Password fields blank and the user enters the token provided in the Group ID field when prompted during enrollment.

The required format is also provided for reference as is a template to follow.

Once the devices have been uploaded, you can assign an MDM profile to the list of devices you are adding. The devices have now been added, and you will be able to see which devices are associated with which profile.

The Knox Mobile Enrollment tool verifies your purchase details to ensure that each device is enrolled in the proper enterprise. Along with the device information, you must provide purchase details including:

  • Name of the reseller
  • Contact information of the reseller
  • Customer or Invoice ID so your reseller can recognize the transaction.

After submitting the devices, you will receive an email with a rejection reason if some of the devices are rejected. After correcting any errors, resubmit the devices. If the devices are accepted, they are queued for verification once Samsung receives the device list and purchase information from carriers and distributor. Should there be delays, please escalate to your Samsung Representative. Only Samsung Knox 2.4+ and TIMA-enabled devices are supported out of the box by the Samsung Knox Mobile Enrollment tool. Devices also have to be connected to Wi-Fi and end users must agree to download and install the MDM Hub in order for the device to successfully enroll in the enterprise.