Using Samsung Knox Mobile Enrollment with Microsoft Intune

This week is all about using Samsung Knox Mobile Enrollment (KME) for automatically enrolling Samsung Knox devices into Microsoft Intune. The idea of Samsung KME is similar to Windows Autopilot and Apple ADE. It’s all about streamlining the enrollment experience for corporate-owned devices. By using Samsung KME in combination with Microsoft Intune, a smooth out-of-the-box experience enables users to be up-and-running in no time. That can be achieved by uploading Samsung Knox devices in Samsung KME and assigning MDM profiles to those devices. This post will start with the important prerequisites, followed with the steps for creating a MDM profile in Samsung KME. This post ends with assigning the MDM profile to devices in Samsung KME and a quick look at the user experience.

Note: Unlike Apple ADE, Samsung KME doesn’t synchronize devices to Microsoft Intune. That means that the MDM profile assignment must be performed via Samsung KME to make sure that the uploaded Samsung Knox devices know were to perform their MDM enrollment.

Prerequisites for using Samsung Knox Mobile Enrollment with Microsoft Intune

When configuring Samsung KME, to automatically enroll Samsung Knox devices in to Microsoft Intune, there are a few things that should be in place.

  • A Microsoft Intune environment and licenses
  • An enrollment profile for corporate-owned Android devices in Microsoft Intune
    • That enrollment profile can be for dedicated devices, fully managed devices and corporate-owned devices with work profile
  • A free Samsung KME environment
  • One or more Samsung Knox devices, running Knox version 2.4 or higher, uploaded in Samsung KME, which can be achieved by
    • Reseller uploads – an authorized Samsung reseller can directly upload purchased devices
    • Knox Deployment App – the Knox Deployment App can be used to manually upload devices via a NFC bump, a Bluetooth connection or a Wi-Fi direct connection
    • QR-code – a QR gesture is available for Android 10 and later devices to upload devices

Note: The Knox Deployment App nowadays always requires two devices. A primary device that is used to configure one, or more, secondary devices.

Create a MDM profile in Samsung Knox Mobile Enrollment

Once the prerequisites are in place, a MDM profile can be created in Samsung KME. That profile can be used to assign the MDM enrollment behavior to the out-of-the-box experience of Samsung Knox devices. From a very high-level perspective that means that a user turns on the device, the device checks-in with Samsung KME and Samsung KME tells the device were to go for the MDM enrollment. To configure a MDM profile, simply follow the next five steps.

  1. Open the Samsung Knox Mobile Enrollment portal and navigate to MDM Profiles
  2. On the MDM Profiles page, click CREATE PROFILE to open the CREATE NEW PROFILE wizard
  3. On the Select profile type page, select ANDROID ENTERPRISE (as shown in Figure 1) to let the MDM choose to enroll as Device Owner or Profile Owner

Note: It’s also possible to create a MDM profile for DEVICE ADMIN as a legacy method for managing Android devices. As the preferred route nowadays should be ANDROID ENTERPRISE, for most scenarios, this post won’t describe the steps for the legacy method.

  1. On the Android enterprise profile details – Define your profile details. Contact your MDM for the information page, specify the following information (as shown in Figure 2) and click CONTINUE
  • Profile Name: Specify a name for the MDM profile to distinguish it from other similar profiles
  • Description: (Optional) Specify a description for the MDM profile to further differentiate the profiles
  • Select Let MDM choose to enroll as a Device Owner or Profile Owner to enable Microsoft Intune to choose the owner type during the enrollment
  • Pick your MDM: Select Microsoft Intune to preconfigure the information below automatically
  • MDM Agent APK: Automatically set to https://play.google.com/managed/downloadManagingApp?identifier=setup based on the selection of Microsoft Intune as MDM
  • Do not select This MDM APK is locally hosted on an intranet server as Microsoft Intune relies on the Android Device Policy that is available in Google Play store
  • MDM Server URI: Leave the MDM server URI empty as Microsoft Intune relies on the Android Device Policy that is available in Google Play store
  1. On the Android enterprise profile settings page – Set MDM configuration and device settings page, specify the following information (as shown in Figure 3) and click CREATE
  • Custom JSON Data (as defined by MDM): Specify {“com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN”:”{YourEnrollmentToken}”} as value to make sure that the Android Device Policy will enroll the device with the correct Microsoft Intune tenant

Important: The value for {YourEnrollmentToken} can be taken from the enrollment profile in Microsoft Intune. Navigate to the Android enrollment profiles, select the required enrollment profile and use the token of that enrollment profile.

  • Root/intermediate certificate: (Optional) Specify a root/intermediate certificate that should be installed prior to the Microsoft Intune enrollment

Note: With Android 9, the root and intermediate certificates are installed in the device default keystore and with Android 10 and later, the root and intermediate certificates are also installed in the VPN and App keystores.

  • Dual DAR: (Optional) Select Enable Dual DAR to enable DualDar during the Samsung KME enrollment

Note: DualDar is a Samsung Knox solution that adds an additional layer of encryption and requires additional licensing and devices running Samsung Knox 3.4 or later.

  • QR code for enrollment: (Optional) Select ADD A QR CODE to generate a QR-code for enrolling devices with this MDM profile during the out-of-the-box experience

Note: QR-code enrollment is an additional method to upload Samsung Knox devices with Android 10 or later to Samsung KME, by using the plus-sign gesture on the Welcome screen.

  • System applications: Select Leave all system apps enabled to ensure that all pre-installed installed system apps are available to the profile

Note: When this option is not selected, only a limited set of default system apps will be available.

  • Privacy Policy, EULAs and Terms of Service: (Optional) Select ADD LEGAL AGREEMENT to add organization specific EULA that should be displayed to the user

Note: Keep in mind that Microsoft Intune provides similar functionalities.

  • Company Name: Specify the name of the organization that will also be display during the enrollment

Assign MDM profile to devices in Samsung Knox Mobile Enrollment

Once the MDM profile is created, the MDM profile can be assigned to Samsung devices that are uploaded in to Samsung KME. Uploading those devices can be achieved by using any of the method that are mentioned in the prerequisites. Often the upload will be performed by the reseller, after purchasing new Samsung devices with an authorised reseller. That’s also the easiest road for assigning MDM profiles. When opening the Samsung Knox Mobile Enrollment portal and navigating to Resellers, a reseller can be selected to configure the preferences. Those preferences contain the approval behavior for uploaded devices and the default assigned profile. To automate the process, select Auto approval and select the just created MDM profile with Default profile (as shown in Figure 4).

An alternative is manually approving uploaded devices and manually assigning MDM profiles. That can be achieved by opening the Samsung Knox Mobile Enrollment portal and navigating to Devices, selecting a device and configuring the MDM profile for that device.

User experience with Samsung KME

As mentioned in the introduction, the combination of Samsung KME with Microsoft Intune provides a smooth out-of-the-box experience and enables users to be up-and-running in no time. The user can turn on the Samsung Knox device and simply follow the onscreen instructions. There is no need for scanning QR-codes, NFC-bumping, or anything else that might confuse the user or that might prevent the user from having a smooth experience.

After turning on the Samsung Knox device, the user is welcomed and the device must connect the Internet. Once connected, the device will reach out to Samsung KME and eventually end up with the Set up your device screen (see Figure 5). That screen is also shown during step 5 of the creation of the MDM profile (see Figure 3). That screen provides the user with the information about the enrollment and the notification that the Android Device Policy app will be used for managing and monitoring the device. After that screen, the normal enrollment experience of Microsoft Intune will start. The device will be set up for work and the user must sign in to register the device with Microsoft Intune. Unless it’s a dedicated device. In that case there is no sign-in needed.

More information

For more information about Microsoft Intune and Samsung KME, refer to the following docs.

8 thoughts on “Using Samsung Knox Mobile Enrollment with Microsoft Intune”

  1. Hi Peter,
    I followed your instructions and set everything up in the exact same way and still my device is not picking up that info. Already resetted it 3 times to start from scratch.

    I got the token setup in Intune, the device has been added to the KME portal, the MDM profile has been created as per your explanation and assigned to the device.

    Is there something that I’m missing?

    Kind regards
    Julio

    Reply
  2. Hi Peter,

    Any Idea why Samsung devices randomly wipe himself during the enrollment? We use Corporate-owned devices with work profile and Samsung-Knox

    Reply

Leave a Reply to John Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.