1. What is Knox Mobile Enrollment (KME)?

Knox Mobile Enrollment is the quickest and most automated way to enroll a large number of devices to your FAMOC for corporate use. After adding your device to the dedicated KME platform, it will automatically attempt to complete integration with MDM platform until enrollment finishes with success. After the device wipe, KME will also start automatic re-enrollment process. 


For more information visit Samsung KME page 

https://www.samsungknox.com/en/solutions/it-solutions/knox-mobile-enrollment

  1. Requirements for KME

To use Knox Mobile Enrollment, you need:


  • A Samsung account. For more information, go to: Create your Samsung accounts.

  • A Knox Portal account. For more information, go to: Create your Samsung accounts.

  • Samsung Knox devices running Knox version 2.4 or higher. Some devices lacking a device root key (DRK) support enrollment using a Knox 2.4.1 binary. List of all KNOX 2.4+ devices.

https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+

  • [ON-PREMISE] The correct firewall exceptions needed to extend beyond your local and protected network domain and securely connect to the Knox Mobile Enrollment server. For more information, go to: Firewall exceptions.

  • A KME supported browser (Internet Explorer, Firefox, and Chrome). Internet Explorer is not recommended if using an on-premise MDM.

  • Permission to access Knox Mobile Enrollment features by request access on Knox Mobile Enrollment. For more information, go to Getting KME access.

  1. KME process overview and workflow

Enterprise IT admins purchase devices from carriers, resellers, or distributors and provide their unique customer IDs. The devices are validated for correctness by their sellers in KME, and shipped to end users who open the box and boot their device.

Refer to the following describing the KME process flow activities within the illustration above:

  1. An IT Admin and Reseller/Carrier create accounts in KME and RP respectively. They then exchange their IDs within KME using the Customer ID and Reseller ID.

  2. The Enterprise IT Admin purchases devices from their Reseller/Carrier.

  3. The Reseller uploads the list of purchased device IDs to the Reseller Portal.

  4. The device ID list is shared between the Reseller Portal and KME.

  5. The IT Admin is notified by email that their Reseller/Carrier has uploaded their devices.

  6. The IT Admin approves the device upload. Approvals can be made automatically for trusted Resellers/Carriers.

  7. The IT Admin configures the devices by assigning them to a MDM profile and optionally adding username/password information to each device. Devices can be automatically assigned to a profile.

  1.  How to add devices to KME portal

Go to http://www.samsungknox.com/en and sign in to your account.


Run Knox Mobile Enrollment options by pressing the “Launch console” button.

 

    1. Device purchased from official reseller 

When a device is purchased from a reseller, the reseller can automatically upload the device to your KME account. The uploaded devices display within the DEVICES > Uploads page.

The Resellers screen displays a list of resellers, their corresponding reseller ID, default enrollment profile and upload approval preference. Each reseller displays as a link that can be selected to edit that reseller's profile and approval preferences.

To add a reseller:

  1. Contact your carrier or reseller for their required Reseller ID by providing your own customer ID ( can be found by clicking on initials in upper right corner ).

  1. Select Resellers from the left-hand navigation menu.

NOTE - The Resellers screen lists your Customer ID that you will need to provide to your reseller. Be sure to make a note of it, as it does not appear any place else in the Knox Mobile Enrollment console.


  1. Select the REGISTER RESELLER button from the top, right-hand side of the Resellers screen.

  1. Enter the Reseller ID provided by your reseller. Once entered, select the newly displayed LOOK UP button. Wait momentarily until a Reseller found confirmation displays the successful identification of the reseller. If you encounter errors with the ID, contact your reseller to ensure it is correct.

  2. Select the REGISTER button.

  1. Refer to the Preferences portion of the Manage reseller preferences screen and set the following device upload and profile assignment preferences for device uploads:

  • Auto approval

    • Automatically approve all devices uploaded from this reseller - The information uploaded by this reseller into device inventory is automatically approved, both now and for future uploads.

  • Auto assign profile after approval - Use the drop-down menu to select the default profile assigned to devices uploaded by this particular reseller once either manually or automatically approved.

  1. Click SAVE to commit the reseller management updates.

    1.  Adding device to KME manually using KNOX Deployment APP without official reseller

Knox Deployment App that can be downloaded from Google Play Store

This section describes the screen flow navigation for a typical enrollment using the Knox Deployment App.

  1. Select SIGN IN once the Knox Deployment App launches on the device.

  2. NOTE — If the Knox Deployment App is already running on the device, the initial screen does not display, and the application displays the sign in screen.

  1. Enter the Knox Portal Username and Password to login into the Knox Deployment App.

  1. Select Remember me to display and utilize the username in subsequent Knox Deployment App logins.

  2. NOTE —If you encounter difficulty logging in to the Knox Deployment App, ensure you have either a valid Knox Portal account with privileges for KME. If that is not the issue, select Forgot your email or password? for assistance retrieving your login credentials. Select SIGN IN to proceed with the device login.

Once you have successfully logged into the Knox Deployment App, a WELCOME screen displays providing first-time options for profile selection and deployment mode.

NOTE — Once the Knox Deployment App profile selection and configuration mode are set, the selected options display within their respective fields, the START DEPLOYMENT option enables, and the Welcome portion of screen no longer displays in subsequent logins.


Select a profile to apply specific device settings to a master/admin device using to enroll end user devices.

To select a configuration profile using the Knox Deployment App:

  1. Select Tap here to select a profile from the Welcome screen to display a list of profile selection options.

  1. Optionally filter whether All profiles are listed for potential selection or just Knox Configure or Knox Mobile Enrollment defined profiles. 

  2. If there are no profiles available, a profile requires creation using the Knox Mobile Enrollment. Described in Creating profile in FAMOC

  1. Select a listed profile. Once selected, the profile displays upon subsequent logins. The profile is now ready for Bluetooth, NFC, or Wi-Fi Direct deployment mode selection as described in the sections that follow.

After beaming enrollment information, go to Devices -> All Devices tab, where a new record has been created. You can check enrollment method by hovering cursor on the submitted date.

  1. FAMOC and Knox Mobile Enrollment integration

Log in to your FAMOC account and choose one of two possibilities. 

  1. Go to Settings -> Android -> Samsung KME and press Bulk Enrollment




2. Or using second method from device tab

Click on the DEVICES tab, then hover over icon and choose Bulk enrollment, and Samsung KME.

    1.  KME configuration in FAMOC

Each method from previous section will open short configurator.



  1. Sign in to Knox Mobile Enrollment Portal with your credentials. 

 

Run Knox Mobile Enrollment options by pressing the “Launch console” button.

 


  1. Go to MDM Profiles, click Create Profile by selecting one of the profile types.


a) DEVICE OWNER - For fully managed or dedicated devices.

b) DEVICE ADMIN - Legacy method of managing devices. Being replaced by Device owner.

2. Pick FAMOC from MDM list and paste MDM Server URI using copy button:

Example format for URI: xxx.xxxxxx.xxx/

  1. Choose a name for your profile and add link to FAMOC APK using copy button:

Example format for APK link: https://xxx.xxxxxx.xxx/kme/index.php/S4hShnevBYtvhmWafrheFsSmX1k6yL6Q

  1. [OPTIONAL] To enroll device with user credentials or bootstrap code in Device Owner from KME, administrator is obligated to provide custom JSON data in MDM profile. JSON should look like:


{"enrollment_type":"credentials, bootstrap_code"}


Valid enrollment_type values:

"credentials"

"bootstrap_code"

"credentials, bootstrap_code"


If custom JSON data will be not provided by administrator, device will be enrolled silently, or both enrollment options (credentials, bootstrap code) will be displayed to the user if there is no CSV record for this device.


  1. Press Next and go to Devices -> All Devices on Samsung KME portal and download devices as CSV.


  1. Drop your CSV or choose file from local storage.



  1. Choose Default user or Device Groups for imported devices and press Next

  2. List of successfully imported devices will be shown:



  1. Press Next and click on Download device list button.



  1. Go back to Samsung KME portal, select Bulk Actions -> Bulk Configure and upload a CSV file downloaded from FAMOC.



  1. Additional popup will apreat if Bulk Configuration was submitted correctly. 

  1. Go back to FAMOC and press close

  1. Choose option “Go to device list” to see newly imported list. 

After the device wipe or its initial setup, the device will enroll to FAMOC automatically.


  1. User actions on device

When the device is not enrolled to the FAMOC EMM and you want to enforce KME with Device Admin profile without wiping the device, try going to https://me.samsungknox.com and click the Next button. If the device is connected to KME and added to FAMOC MDM, it will automatically connect these two services without the necessary wipe. (Base Agent 3.24.0+ required).


It is possible to enroll up to 10,000 devices using Knox Mobile Enrollment.

  1. For out of box enrollment, turn on your device and connect to the Internet.

  2. When you receive a prompt to Enroll with Knox, tap Continue. 

  3. Read the SECURITY STATEMENT and the Knox PRIVACY POLICY and tap I agree to all of the above; tap Next.




  1. Your credentials are validated and your device is enrolled in your organization’s enterprise IT environment.


Possible scenarios: 

  1. When choosing Device enrollment with additional JSON user will have to provide login and password, and / or bootstap code generated by FAMOC administrator. 

{"enrollment_type":"credentials, bootstrap_code"}

Valid enrollment_type values:

"credentials"

"bootstrap_code"

"credentials, bootstrap_code"


  1. Problem with configuring KME 

  2. Samsung server problem might occurred


Once all steps have been completed, you should see the name of your organization in FAMOC Base Agent. This means that the device has been enrolled correctly and is ready to work.


Note:

Chapters 2, 3 and 4 are described in detail here:

https://docs.samsungknox.com/KME-Getting-Started/Content/about-kme.htm

https://www.samsungknox.com/en/solutions/it-solutions/knox-mobile-enrollment