Samsung Knox Mobile Enrollment (KME) in Android Management API

View Only

Samsung Knox Mobile Enrollment (KME) in Android Management API

By Amee Doshi posted 17 days ago

Like

This guide provides a comprehensive step-by-step process for enrolling corporate-owned Samsung devices through Samsung Knox Mobile Enrollment (KME) within the Android Management API framework. IT administrators can efficiently onboard multiple Samsung devices without the necessity of manual configuration for each. KME ensures automatic enrollment as soon as end users power on their devices and establish a connection to a Wi-Fi or cellular network. Additionally, devices have the option of enrollment through Bluetooth or NFC when utilizing the Knox Deployment App.

Prerequisites:

Samsung devices running Knox 3.0 or later.
Registration for a Samsung Knox Account via the following URL: https://www.samsungknox.com/en#register.
Addition of Samsung devices to the Knox Admin Portal using one of the following methods:

1. Samsung-approved resellers: If your Samsung devices are procured through a Samsung-approved reseller, those resellers will upload the devices to your KME console. For detailed instructions on registering a reseller and configuring reseller preferences, refer to this link.
2. Knox Deployment app: If your Samsung devices were not obtained through an authorized reseller, you can add them to the KME console via the Knox Deployment app. For further details about the Knox Deployment app, please consult this resource.

Creating an enrollment configuration in the MaaS360 Portal :

It allows you to pre-configure details for users during the enrollment process. This configuration data is then downloaded in JSON format and uploaded to the Knox Admin Portal, reducing the need for user interaction during device setup. Follow these steps to create an enrollment configuration:

Navigate to the MaaS360 Portal Home page and select "Devices" > "Enrollments".
Click on "Other Enrollment Options" > "Android" > "Android Device Enrollment" to open the Android Device Enrollment wizard.

Provide the following details.

Android Mode: Choose "Modern Android Enterprise".
Enrollment Mode: Select "Samsung Knox Mobile".
Device Management: Choose one of the following options:
Device Owner (Dedicated device or Kiosk mode)
Work Profile on Corporate-Owned Device
Device Ownership: Select from the following options:
Corporate Owned
Corporate Shared

3. In the " Add User Details" section, provide the following details: These details will be auto-populated for users during the enrollment process. If you want to skip the authentication screen during device enrollment, provide the username, password, and domain of a MaaS360 portal user account. Ensure that these authentication details match the username, password, and domain in a MaaS360 portal user account.

4. In the "Add Additional Settings" section, provide the following details:

Prompt for device name: If set to "Yes", prompts the user to provide a custom device name during the enrollment process.
Allow user to skip enrollment: If set to "Yes", prevents users from skipping device enrollment screens.
Disable system apps: For KME enrollments, utilize the "System Applications" setting in the Knox Admin portal to enable or disable system apps.
Locale and Timezone: Applies the selected locale and timezone settings on the device.
Additional Attributes: These attributes enable configuration of advanced device enrollment settings supported by MaaS360. For the list of supported attributes, refer to the Additional Android Enterprise Enrollment Attributes - IBM MaaS360 Documentation.

5. Provide the following details in the Wi-Fi Settings section: Configure Wi-Fi profile details. When Wi-Fi profile is pushed to the device, the devices automatically connect to that Wi-Fi during the enrollment process.

6. Click on Create Button. The Samsung Knox Mobile Enrollment window is displayed. You can Download or copy the JSON text which includes enrollment configuration for the KME enrollment. With this generated JSON , we are going to create one profile in Knox Admin Portal.

Creating Android Enterprise profile in Knox Admin Portal :

You can create an Android Enterprise AMAPI profile in the Knox Admin Portal to customize your device enrollment. When creating a profile, you need JSON data that was downloaded from the MaaS360 Portal.
To create a profile for Android Enterprise in the Knox Admin Portal follow these steps:

Sign in to the Knox Admin Portal using this link: https://central.samsungknox.com/login-navigator.
On the left navigation pane, select "Profiles," then click "Actions" on right side and click "Create Profile."

. 3. Choose the "Android Enterprise" profile type.

4. Provide the following details:

Profile Name: Enter a name for your profile.
Pick your EMM: Select "Other."
EMM agent APK: You can access the EMM agent APK for IBM MaaS360 from the Google Play Store using the following link: https://play.google.com/managed/downloadManagingApp?identifier=setup

5. Custom JSON Data: Paste the JSON string that you copied from the JSON file downloaded from the MaaS360 Portal in the previous steps.

6 . Under "Device settings," you can configure "System applications" and provide your company name and then Click on Create Button to create the profile.

Assigning profile to devices in Knox Admin Portal :

After creating the MDM profile, you can assign that profile to single or multiple devices that are added in your Knox Admin Portal.

Follow these steps to assign an MDM profile to devices:
1.    Sign in to the Knox Admin Portal. https://central.samsungknox.com/login-navigator
2.    Navigate to the Devices section.
3.    Select the devices that you want to assign the profile to.
4.    Assign a profile:
i) Single device: Click IMEI/MEID and select the desired profile from the Profile list.
ii) Multiple devices:
   a.    Select the devices that you want to assign the profile to.
   b.    Click Actions > Configure devices. The Configure selected devices window is displayed.
   c.    Assign a profile to the selected devices in Modify Profile of selected devices and then Click Save Button.

How to Push the created profile to the Samsung device follow below steps :

In one Samsung device we need to download the application from playstore (Device-1) https://play.google.com/store/apps/details?id=com.samsung.android.knox.enrollment) (Note : for this step we need to have two of the Samsung device )
Login with the above provided Samsung credentials .
Both devices should be connected through Bluetooth
Go to (me.samsungknox.com) on the device to be enrolled (Device-2) >>NEXT
Push the Profile created on the portal from the Device -1 to the Device -2
Go to the Samsung Portal https://central.samsungknox.com/login-navigator check the Device 2 should have been added in the “Devices “ section
Factory Reset the device (Device -2 )
The device should get enrolled with KME enrollment on Samsung portal

End user enrollment steps :

Step 1: Prepare devices for enrollment

The device should be in factory reset condition or a fresh device before starting this.End users need to connect to the network to initiate the enrollment process.

Step 2: Start the device and the enrollment

Initiate KME-based enrollment, the device must first be registered on the KME portal. This enables automatic fetching of profile details upon enrollment commencement. Users simply need to click "Next" and "Continue" to proceed with the process.

Following device registration, users will be prompted to install work applications and register with the MDM profile, facilitating the completion of your KME enrollment.

0 comments

38 views

IBM Security

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

IBM Security MaaS360