What is Knox Mobile Enrollment (KME)?

Knox Mobile Enrollment is the quickest and most automated way to enroll a large number of devices to your FAMOC for corporate use. After adding your device to the dedicated KME platform, it will automatically attempt to complete integration with MDM platform until enrollment finishes with success. After the device wipe, KME will also start automatic re-enrollment process. 

For more information visit Samsung KME page 

https://www.samsungknox.com/en/solutions/it-solutions/knox-mobile-enrollment

Requirements for KME

To use Knox Mobile Enrollment, you need:

• A Samsung account. For more information, go to: Create your Samsung accounts.

• A Knox Portal account. For more information, go to: Create your Samsung accounts.

• Samsung Knox devices running Knox version 2.6 or higher. List of supported device below:
  

https://www.samsungknox.com/en/knox-platform/supported-devices/

• [ON-PREMISE] The correct firewall exceptions needed to extend beyond your local and protected network domain and securely connect to the Knox Mobile Enrollment server. For more information, go to: Firewall exceptions.

• A KME supported browser (Internet Explorer, Firefox, and Chrome). Internet Explorer is not recommended if using an on-premise MDM.

• Permission to access Knox Mobile Enrollment features by request access on Knox Mobile Enrollment. For more information, go to Getting KME access.

KME process overview and workflow

Enterprise IT admins purchase devices from carriers, resellers, or distributors and provide their unique customer IDs. The devices are validated for correctness by their sellers in KME, and shipped to end users who open the box and boot their device.

Refer to the following describing the KME process flow activities within the illustration above:

1. An IT Admin and Reseller/Carrier create accounts in KME and RP respectively. They then exchange their IDs within KME using the Customer ID and Reseller ID.

2. The Enterprise IT Admin purchases devices from their Reseller/Carrier.

3. The Reseller uploads the list of purchased device IDs to the Reseller Portal.

4. The device ID list is shared between the Reseller Portal and KME.

5. The IT Admin is notified by email that their Reseller/Carrier has uploaded their devices.

6. The IT Admin approves the device upload. Approvals can be made automatically for trusted Resellers/Carriers.

7. The IT Admin configures the devices by assigning them to a MDM profile and optionally adding username/password information to each device. Devices can be automatically assigned to a profile.

How to add devices to KME portal

Go to http://www.samsungknox.com/en and sign in to your account.

After entering the data, you will log into the KME administrator portal.

1. Device purchased from official reseller 

When a device is purchased from a reseller, the reseller can automatically upload the device to your KME account. The uploaded devices display within the DEVICES > Uploads page.

The Resellers screen displays a list of resellers, their corresponding reseller ID, default enrollment profile and upload approval preference. Each reseller displays as a link that can be selected to edit that reseller's profile and approval preferences.

More information on link below:

https://docs.samsungknox.com/admin/knox-mobile-enrollment/Register_resellers1.htm

2. Adding device to KME manually using KNOX Deployment APP without official reseller

Knox Deployment App that can be downloaded from Google Play Store

This section describes the screen flow navigation for a typical enrollment using the Knox Deployment App.

1. Select SIGN IN once the Knox Deployment App launches on the device.

2. NOTE — If the Knox Deployment App is already running on the device, the initial screen does not display, and the application displays the sign in screen.
   
   

3. Enter the Knox Portal Username and Password to login into the Knox Deployment App.

4. Select Remember me to display and utilize the username in subsequent Knox Deployment App logins.

5. NOTE —If you encounter difficulty logging in to the Knox Deployment App, ensure you have either a valid Knox Portal account with privileges for KME. If that is not the issue, select Forgot your email or password? for assistance retrieving your login credentials. Select SIGN IN to proceed with the device login.

Once you have successfully logged into the Knox Deployment App, a WELCOME screen displays providing first-time options for profile selection and deployment mode.

NOTE — Once the Knox Deployment App profile selection and configuration mode are set, the selected options display within their respective fields, the START DEPLOYMENT option enables, and the Welcome portion of screen no longer displays in subsequent logins.

Select a profile to apply specific device settings to a master/admin device using to enroll end user devices.

To select a configuration profile using the Knox Deployment App:

1. Select Tap here to select a profile from the Welcome screen to display a list of profile selection options.

2. Optionally filter whether All profiles are listed for potential selection or just Knox Configure or Knox Mobile Enrollment defined profiles. 

3. If there are no profiles available, a profile requires creation using the Knox Mobile Enrollment. Described in Creating profile in FAMOC

4. Select a listed profile. Once selected, the profile displays upon subsequent logins. The profile is now ready for Bluetooth, NFC, or Wi-Fi Direct deployment mode selection as described in the sections that follow.

After beaming enrolment information, go to Devices -> All Devices tab, where a new record has been created. You can check enrolment method by hovering cursor on the submitted date.

FAMOC and Knox Mobile Enrollment integration

Log in to your FAMOC account and choose one of two possibilities. 

1. Go to Settings -> Android -> Samsung KME and press Bulk Enrollment

2. Or using second method from device tab

Click on the DEVICES tab, then hover over icon and choose Bulk enrollment, and Samsung KME.

KME configuration in FAMOC (Device Owner)

Each method from the previous section will open a short configurator. 

1. Sign in to Knox Mobile Enrollment Portal with your Samsung Account credentials. 

2. Go to Profiles, click Create Profile and select type - ANDROID ENTERPRISE from the profile types.

3. Enter the Profile Name, Description optional), select Let MDM choose to enroll as a Device Owner or Profile Owner and choose FAMOC from MDMs list

Paste MDM Server URI using copy button:

Example format for URI: xxx.xxxxxx.xxx/

4. Add link to FAMOC APK using copy button:

Example format for APK link:

https://xxx.xxxxxx.xxx/kme/index.php/S4hShnevBYtvhmWafrheFsSmX1k6yL6Q

5. [OPTIONAL] To enroll device with user credentials or bootstrap code in Device Owner from KME, administrator is obligated to provide custom JSON data in MDM profile. JSON should look like:

{"enrollment_type":"credentials, bootstrap_code"}

Valid enrollment_type values:

"credentials"

"bootstrap_code"

"credentials, bootstrap_code"

If custom JSON data will be not provided by administrator, device will be enrolled silently, or both enrollment options (credentials, bootstrap code) will be displayed to the user if there is no CSV record for this device.

If you wish to require the user to provide credentials or enrollment code during the process you also have to add to JSON one of the following values.

JSON that should be passed to the KME portal should contain a 'webview_key' parameter when selecting one of the WebView options (credentials or enrollment code).

e.g. When selecting the authentication method: user credentials and enrollment method: fully managed, JSON should look like that:

{"provisioning_mode":"do", "web_view_key":"GENERATED_WEB_VIEW_KEY"}.

For WPC devices and WebView option selected:

{"provisioning_mode":"wp", "web_view_key":"GENERATED_WEB_VIEW_KEY"}

For COSU devices and WebView option selected:

{"provisioning_mode":"cosu", "web_view_key":"GENERATED_WEB_VIEW_KEY"}

"WebView key" will be generated and shown on the Samsung KME integration modal.

6. Press Next and go to Devices -> All Devices on Samsung KME portal and download devices as CSV.

7. Drop your CSV or choose a file from local storage.

8. Choose Default user or Device Groups for imported devices. Select Authentication method and Enrollment method (remember to add appropriate values to the JSON configuration on KME portal) and press Next.

9. List of successfully imported devices will be shown: 

10. Press Next and click on Download device list button. 

11. Go back to Samsung KME portal, select Bulk Actions -> Bulk Configure and upload a CSV file downloaded from FAMOC.

12. Additional popup will apreat if Bulk Configuration was submitted correctly. 

13. Go back to FAMOC and press close

14. Choose the option “Go to device list” to see newly imported list. 

After the device wipe or its initial setup, the device will enroll to FAMOC automatically.

KME configuration in FAMOC (Device Admin)

NOTE: The DEVICE ADMIN management method is an older method compared to the DEVICE OWNER. You can still use it, but it is suggested that you use the DA method to take advantage of all the management capabilities of Android devices.

1. Sign in to Knox Mobile Enrollment Portal with your credentials. 

2. Go to Profiles, click Create Profile and select type - DEVICE ADMIN from the profile types.

3. Enter the Profile Name and Description (optional).

4. Paste MDM Server URI using copy button:

Example format for URI: xxx.xxxxxx.xxx/

5. On the next page click Add MDM apps and paste the link copied from FAMOC manage 

Next steps are the same as in the previous (ANDROID ENTERPRISE) method.