Android Enterprise VI: Knox Mobile Enrollment
Knox Mobile Enrollment
Samsung Knox Mobile Enrollment is Samsung's counterpart to the Apple Device Enrollment Program and/or Android Zero Touch Enrollment. Overall Knox Mobile Enrollment saves IT departments and users the tedious manual configuration of proprietary Samsung smartphones and tablets. Devices are pre-configured online with the settings desired by an Administrator. When booting for the first time, the devices check whether they are assigned a configuration and if so, they will download the (pre-configured) Matrix42 Silverback Companion app which will guide the user to finish the setup.
- IT Administrators: Can configure that new arrived devices will be automatically configured to download Matrix42 Silverback Companion
- Your company stay in control of their devices at all times - even after factory resets.
- End users, after receiving a boxed device, they just need to connect to a network and finish the enrollment.
Requirements
- Successful accomplished Android Enterprise Integration
- Reviewed the Knox Mobile Enrollment FAQ
- Successful Knox Mobile Enrollment Registration
- Configured KME firewall exceptions
Login
- Open https://www.samsungknox.com/
- Select Sign in
- Sign in with your Samsung Account
- e.g. silverback@imagoverum.com
- e.g. Pa$$w0rd
Create a Profile
- From the Knox Admin Portal, select Knox Mobile Enrollment
- Select Profiles
- Press Actions and select Create Profile
- Enter a Profile Name, e.g. Silverback KME
- Enter a Description, e.g. Silverback Default Profile (optional)
- Enter your Company Name
- Enter your Support email
- Enter your Support phone number
- Press Next
- Under Pick your MDM select Matrix42 Silverback
- Wait until the verification is finished
- Keep the MDM Server URI empty (optional, please refer to DPC Extras)
- If you enable this EMM APK is privately hosted on an intranet server, use the following information
- You can download the lasted APK from here: https://play.google.com/managed/down...ifier=matrix42
- Admin component name: com.silverbackmdm.epic.companion.ss/com.silverbackmdm.epic.DeviceMdmReceiver
- Admin package signature checksum: mqoNjgDp_qAkeHhEj3EcO2oD69YhX3fLY4dbQJ-gx_0
- EMM app Name: Companion
- Proceed with Next
Configure Profile
- Add your DPC extras (optional)
- Disable or Leave all systems apps enabled
- Configure the Enrollment screens (optional)
- Add Privacy Policy, EULAs and Terms of Service (optional)
- Upload a Root and intermediate certificate (optional)
- Disable the Enrollment screens options (optional)
- Enable and configure Advanced settings (optional)
- Press Next
- Review and edit (if needed) your made configurations
- Press Create
- If you are using Advanced settings, confirm the information message
- Review again the DPC extras below and proceed with Knox Deployment
DPC Extras
The Knox Mobile Enrollment grants the possibility to configure Device Policy controllers remotely. The Matrix42 Companion application supports to remotely configure (enrollment) settings for users, which will ensure a smooth enrollment performed on the used devices. Depending on your needs and your desired enrollment flows, the following options are available which require different configurations during the profile generation or by adding a specific DPC extras configuration:
Require Pending Enrollment Generation
In case you want to ensure that users or administrators must generate a One Time Password first on any second device, keep the DPC extras field empty. In this case either administrators can initiate the enrollment from the Silverback Management Console with the Provision or Bulk Provision User functionality or users are required to start the enrollment process through the Self Service Portal upfront or at the out-of-the-box experience with a second device. During the device enrollment setup, the device will download the Matrix42 Companion and users are required to enter their enrollment credentials inside the Matrix42 Companion. In any case users are required to receive their enrollment information upfront or at least at the time when they have to enter their credentials inside Matrix42 Companion.
Start with Self Service Portal
These option grants the possibility to add in the configuration field the address of your Silverback Self Service Portal, so that users will be forwarded directly to the Self Service Portal inside the Companion during the enrollment and finish the enrollment with Local User Accounts, Active Directory or Azure Active Directory credentials.
For this, adjust and add the DPC extras field with the following custom configuration:
| Enrollment Option | Custom Configuration |
|---|---|
| Enrollment with Self Service Portal |
{"server_url":"https://silverback.imagoverum.com"}
|
Bulk Enrollment with a Service Account
You can use this mechanism to provide a fully authenticated device enrollment for non-personalized devices in combination with the Bulk Staging Mode. For this, adjust and add the following custom configuration into the DPC extras field:
| Enrollment Option | Custom Configuration |
|---|---|
| Enrollment with preset Authentication |
{"server_url":"https://silverback.imagoverum.com","user_name":"tim.tober@imagoverum.com","otp":"4444"}
|
Bulk Enrollment with individual accounts
This option lets you fully automate the authentication process for users inside the Matrix42 Companion application with a bulk configuration. Administrators can use the Bulk Provision User functionality in Silverback and upload a *.csv file containing device identifiers (IMEIor Serial Number) from the Knox Mobile Enrollment portal and authentication information from Silverback (Usernames + One Time Passwords). During the process, each device will receive the authentication information stored in the Knox Mobile Enrollment portal based on the created authentication information in Silverback and based on the uploaded *.csv file. Please refer to Bulk Enrollments with Samsung Knox Mobile Enrollment for additional information
In this scenario, you need to add your MDM Server URI (your Silverback URL) during the Knox Mobile Enrollment Profile creation and keep the MDM configuration empty.
Single Enrollments with individual accounts
Another option is to create in Silverback a single pending enrollment with the Provision User functionality and take and add the Username and One Time Password by opening the device information in the Knox Mobile Enrollment portal. After opening the device information, you can add the User ID value with the corresponding Silverback Username and the Password with the generated One Time Password in Silverback.
In this scenario, you need to add your MDM Server URI (your Silverback URL) during the Knox Mobile Enrollment Profile creation and keep the MDM configuration empty.
Knox Deployment
After the profile generation, you have the option either to manually add devices to the Knox Mobile Enrollment or you can let devices be added by your hardware vendor. In case you want to manually add devices to the Knox Mobile Enrollment proceed with Deploy Profile or with Add a Reseller, to let a reseller add purchased devices.
Deploy Profile
- Pick a Samsung Device
This device will be your master device to add manually devices to Knox Mobile Enrollment
- Download from Google Play Knox Deployment application
- Open Knox Deployment
- Sign in with your Samsung Account
- Review the Privacy Notice and accept the Terms and Conditions and Special terms
- Proceed with Agree
- Select Profile
- Select your previously created Profile
- Select Deployment mode
- Bluetooth (recommended)
- Wi-Fi Direct
This method is used to transfer the profile to desired devices
- Select Wi-Fi for deployed devices
- Select an available network
- Enter your Wi-Fi password
- Click OK
- Proceed with the Bluetooth Deployment or the Wi-Fi Direct deployment
Bluetooth Deployment
Bluetooth makes it possible to deploy profiles to multiple devices. As our recommended path we will guide you through the process.
Knox Deployment
- Starting from the Knox Deployment application
- Ensure that you have select your created profile and your W-Fi for deployed devices
- Select Bluetooth inside the Deployment mode section
- Select the Bluetooth duration and accept pairing requests automatically (optional)
- Press OK
Target Device
- Take your new Samsung device (it must be factory wiped)
- Boot the target device that you’re adding through the Knox Deployment app.
- Draw a plus-sign (+) gesture on the device’s Welcome screen to initiate the deployment. This step allows you to skip the Setup wizard.
- Select your Language
- Press Next
- Select Bluetooth
Start Deployment
- Now return back to your Knox Deployment application
- Press Start Deployment
- Accept (if prompted) the Bluetooth pairing request on both devices
- When the download is finished, review the Privacy Policy and agree to the End User License Agreement
- Press Next
- Follow the instructions given by the operating system and enroll your device to Silverback
Knox Mobile Enrollment
- Meanwhile navigate back to Knox Mobile Enrollment
- Navigate to Devices
- Select All Devices
- You should now see your newly added device
Wipe the Device
- After the successful enrollment, perform a factory wipe of the device
- From the Welcome Screen, select your Language and press Next
- Proceed with the regular process inside the Setup Wizard and you will recognize that the device is now linked successfully to the Knox Mobile Enrollment
- You can re-enroll now the device and as the device is linked to the Knox Mobile Enrollment, a user will be always forced to go online and enroll the device after any factory reset
Add a Reseller
To automate the process of adding devices to your Knox Mobile Enrollment, get in contact with your reseller and provide your Knox Customer ID.
- Open Samsung Knox Mobile Enrollment Console
- Navigate to Resellers
- Notify your Knox Customer ID
- Click Register Reseller
- Enter Reseller ID
- Proceed with the process
Next Steps
- Review Samsung Knox Deployment App
- Use the Knox Service Plugin to configure your devices