Knox Mobile Enrollment

4
Device
Device
Device
Knox Manage supports various device enrollment methods. After successful user authentication and
login to Knox Manage, the devices are automatically enrolled and registered to their user accounts on
Knox Manage. Before enrolling devices, a user account must be created to register enrolled devices
to it. For more information on creating user accounts, see Creating user accounts.
After devices are enrolled and registered to the specific organization and group in the Admin Portal,
you can assign and apply various policies, applications, and content files to the organizations and
groups. You can also control the enrolled devices using the remote support feature and view the
detailed information on each enrolled device.
This chapter explains the following topics:
→→ Viewing the device list

→→ Viewing the device details
→→ Enrolling devices
→→ Managing devices
→→ Managing limited enrollment
→→ Checking the locations of the devices
→→ Viewing device logs
Device 87
Viewing the device list
Navigate to Device to view all the devices registered in the Knox Manage Admin Portal on the
“Device” page. You can also perform specific functions to the selected devices among the list.
On the device list, the personalized settings of the columns will be saved. The saved settings will be
retained before you delete the web browser’s cookies. You can also return the column settings to
their default settings by clicking Revert Column Settings.
Device 88
No. Name Description
Search for devices by device name, IMEI / MEID, user name,

1 Search field and status. Click Advanced Search to filter by device platform &
management type, enrollment type, security issue, etc.
Send the device commands to the selected device on the device

Device
list. For more information, see Sending device commands to
Command
devices.
Only devices that have the Report device location policy applied
Check Location can be checked. For more information, see Checking the
locations of the devices.
Remote Remotely control the selected device with the RS Viewer from
Support your computer. For more information, see Remote Support.
Function Manage Tag Add new tags to the selected devices on the device list.
2
buttons Update License Update the license of the selected devices on the device list.
Unenroll the selected devices on the device list. For more

Unenroll
information, see Unenrolling devices.
Delete Delete the selected unenrolled devices from the device list.
Bulk Add Tags Add bulk device tags using a template.
Export to CSV Download a list of devices as a CSV file.
Revert Column
Resets the column settings to the default settings.
Settings
View brief information for the enrolled devices on the list. You
can add more columns by clicking > Columns, and then
3 Device list clicking the checkboxes for the columns you want to add.
Information of the devices, such as model number, OS version,
and MAC address, can be viewed in the added columns.
Device 89
Viewing the device details
View each device’s details by clicking a device name (or tag) to on the device list. For more
information about the organization of the detail page, see Detail page.
Summary area
The summary area contains the information about the selected device such as device’s status, and
detailed information.
• Detail: View the detailed device’s user information. For more information about the “User Detail”
page, see Viewing the device details.
• See History: View the detailed histories of the device status.
Tab: Security
The Security tab shows the device’s detailed security status.
• Detail (Knox Manage Agent Policy): View the assigned and applies policies created by Knox
Manage Agent.
Tab: Device Information
The Device Information tab shows the device’s detailed information.
• Detail: Display additional device information at the bottom of the page.
Tab: Network
The Network tab shows the device’s detailed network status such as Wi-Fi and SIM information.
Note Wi-Fi Transfer Data and Network Transfer Data do not appear on Android 10 (Q) devices.
Device 90
Tab: Application
The Application tab shows the applications installed, assigned or controlled to the selected device. In
the Application tab, the following tabs are additionally provided.
Application tab Description
View the information of the installed applications to the device. The following
function buttons are available:
• Sync Installed App List: Update the installed application list.

Installed Application
• Install or Update: Select the application to install on the device or to update
if it is already installed.
• Export to CSV: Download a list of applications as a CSV file.
Assigned Application View the information of the assigned applications to the device.
Controlled Application View the information of the controlled applications to the device.
Tab: Profile
The Profile tab shows the detailed information on the profile and policies assigned to the selected
device.
Tab: Content
The Content tab shows the list of the content files assigned to the selected device.
Tab: Group / Organization
The Group / Organization tab shows the detailed information on the groups and organizations that
the selected device belongs to.
• Detail (Group): Move to the “Group Detail” page for the selected group. For more information on the
“Group Detail” page, see Viewing the group details.
• Detail (Organization): Move to the “Organization Detail” page for the selected organization. For
more information on the “Organization Detail” page, see Viewing the organization details.
Device 91
Tab: Command History
The Command History tab shows the history of device commands sent to the selected device. You
can also view the detailed information on the audit events for each device command.
• See Audit Event: View in detail the audit events that occurred while completing a device command.
The following function buttons are available:
Function button Description
Device Log Download the device logs.
Re-Request Re-request the requested device command on the list.
Function buttons in the footer
You can perform specific functions to the devices using the function buttons in the footer.
The following function buttons are available:
Function button Description
List Return to the device list.
View the audit log details for the selected device. For more information, see Viewing
Audit Log
audit logs.
Delete Delete the selected device.
Manage Tag Add new tags to the selected devices.
Remotely control the selected device with the RS Viewer from your computer. For
Remote Support
more information, see Remote Support.
Device 92
Enrolling devices
Enrolling devices
Select one of the following methods depending on the supported device type of the user’s device and
the enrollment types to install the Knox Manage application on user’s devices.
Enrollment type Method Supported device type
Send a Knox Manage application installation guide

to users via email or SMS through the Knox Manage
Single enrollment All devices
Admin Portal. For more information see Enrolling a
single device.
Use Knox Mobile Enrollment (KME) to enroll a large

number of Samsung devices. For more information,
Bulk enrollment Samsung devices
see Using Knox Mobile Enrollment (Samsung devices
only).
Use Zero Touch Enrollment (ZTE) to enroll a large

number of Android Enterprise (For non-Samsung Android Enterprise (For
Bulk enrollment
devices). For more information, see Using Zero Touch non-Samsung devices)
Enrollment (Android Enterprise devices only).
Use Apple’s Device Enrollment Program (DEP) to enroll

a large number of iOS devices. For more information,
Bulk enrollment iOS
see Using the Apple Device Enrollment Program (iOS
devices only).
Enrolling a single device

Send a Knox Manage application installation guide to users via email or SMS through the Knox
Manage Admin Portal. Also, users can directly download the Knox Manage application and enroll
their devices. For Android Enterprise (AE) devices, you can use a token or QR code to enroll the
devices.
Device 93
Enrolling general devices (Android Legacy, iOS and Windows)
Send a Knox Manage application installation guide to users via email or SMS through the Knox
Manage Admin Portal. Also, users can directly download Knox Manage application from their public
application stores.
Note Before enrolling devices, a user account must be created to register enrolled devices to it. For
more information on creating user accounts, see Creating user accounts.
1. Select one of the following methods to send the Knox Manage application installation guide to
users.
• Sending the Email_Agent Installation template to send QR code via email, allowing users
to install the Knox Manage application on their devices. For more information, see Sending
templates or user notifications to users via email.
• Sending the installation URL address or QR code via email or SMS. For more information, see
Sending enrollment guides to users via email and SMS.
Also, users can directly search for the Knox Manage Agent application from their public app
store and download it.
2. Install Knox Manage application by clicking the URL address or scanning the QR code depending
on the request methods, and then launch the Knox Manage application on the device.
3. On the log in screen, enter a user ID and password to sign in to Knox Manage. If you log in to Knox
Manage successfully, the profiles, policies and applications will be applied to the device.
Note For Android Legacy with Knox Workspace devices running Android 10 (Q) or higher, tap the
enrollment notification on the status bar to install the Knox Workspace manually.
Device 94
Enrolling Android Enterprise (AE) devices
Knox Manage supports the following Android Enterprise (AE) manage types. Each manage type can
be enrolled differently.
Personal area Personal area

(Work-managed) (unmanaged)
Work area
Work Profile Corporately Work Profile Corporately

managed managed
Work Profile Work Profile
Fully Managed Type Fully Managed Work Profile Type

(Corporate-owned) With Work Profile Type (Bring your own device)
(Corporate-owned)
• Fully Managed type: Contains only work applications and work data. You can fully control the
whole area of the device.
• Fully Managed with Work Profile type: Contains personal and work applications and data. Users
can install and use personal applications within the personal area. Personal applications cannot be
controlled.
• Work Profile type: Contains personal areas, work applications, and work data. You can only control
the work area of the device.
Enrolling as the Fully Managed type

Enroll Android Enterprise (AE) devices in the Fully Managed type to control the whole area of the
device. The device should be factory reset in advance. Select one of the following methods.
Method Supported version
Use a token (afw#KnoxManage).

Android 6.0 (Marshmallow) or higher
For more information, see Using a token.
Use a QR code sent via Email.

Android 7.0 (Nougat) or higher
For more information see Using a QR code.
Device 95
Using a token
Enter the token (afw#KnoxManage) to enroll the Android Enterprise (AE) devices in the Fully
Managed or Fully Manage with Work Profile type. If the token is applied successfully, the Knox
Manage app will be automatically installed on the device.
To enroll using a token, complete the following steps:
1. Turn on the factory reset device, and then on the device screen, tap START.
2. On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.
3. On the “Agree to Terms and Conditions” screen, read the terms and conditions, and then tap the
checkbox next to “I have read and agree to all of the above”. Then, tap Agree. The device will
check for updates and the updated will be applied.
4. On the “Sign in” screen, enter “afw#KnoxManage” in the Email or phone field, and then tap Next.
5. On the “Android Enterprise” screen, tap Install to download the Knox Manage application on the
device. The Knox Manage application will be downloaded and launched automatically.
6. On the “Set up your device” screen of the Knox Manage Agent, read the privacy policy of Knox
Manage and Google, and then tap Accept & continue. The Knox Manage application will launch
automatically.
7. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password,
and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device,
the device will be enrolled as the Fully Managed or Fully Managed with Work Profile type.
Device 96
Using a QR code
Use a QR code sent via email to enroll the devices as the Fully Managed or Fully Managed with Work
Profile type. For more information on sending a QR code, see Sending enrollment guides to users via
email and SMS.
To enroll using a QR code, complete the following steps:
1. Turn on the factory reset device, and then, on the welcome screen, tap the screen 5 times to
launch QR code enrollment. The QR Reader app will be downloaded and the device camera will
launch to scan the QR code automatically.
2. Scan the QR code sent by email. The Knox Manage URL and tenant information included in the QR
code will be detected.
3. On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.
4. On the “Agree to Terms and Conditions” screen, read the terms and conditions, and then tap the
checkbox next to “I have read and agree to all of the above.” Then, tap Agree. The Knox Manage
application will launch automatically.
and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device,
the device will be enrolled as the Fully Managed or Fully Managed with Work Profile type.
Enrolling as the Fully Managed with Work Profile type

Enroll the Android Enterprise (AE) devices as the Fully Managed with Work Profile type to control
the separate work and personal areas. The enrollment methods are the same as those for the Fully
Managed type, but the applied profile should be set as Create Work Profile on Fully Managed. For
more information, see Creating a new profile.
Note For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to
install the Work Profile manually.
Method Supported version
Use a token (afw#KnoxManage).

Android 6.0 (Marshmallow) or higher
For more information, see Using a token.
Use a QR code sent via Email.

Android 7.0 (Nougat) or higher
For more information see Using a QR code.
Device 97
Enrolling as the Work Profile type
To enroll the Android Enterprise (AE) devices as the Work Profile type, provide an installation guide to
the users to install the Knox Manage application on the devices. You can send an installation guide
via email or SMS or users can download the Knox Manage application directly from their public app
store.
To enroll AE devices as Work Profile devices, complete the following steps:
1. On the device screen, tap the installation URL address sent to users via email or SMS to download
and install the Knox Manage application on the device.
Note You can also search for the Knox Manage application from the Google Play Store to download and
install it on the AE device.
2. On the device, launch the Knox Manage application.
and then tap SIGN IN to sign in to Knox Manage.
Note For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to
install the Work Profile manually.
4. On the “Set up a work profile” screen, read the privacy policy of Knox Manage, and then tap Agree.
The work applications with the briefcase badge icons, which can be managed by Knox Manage,
will appear on the device.
Device 98
Using Knox Mobile Enrollment (Samsung devices only)
Samsung Knox Mobile Enrollment (KME) allows you to quickly and easily enroll a large number of
corporate-owned Samsung devices. The devices are automatically enrolled when users connect to
the internet and log in to Knox Manage. Even if you reset the devices enrolled by the KME program,
the Knox Manage application is re-installed automatically and the devices are re-enrolled in to Knox
Manage.
The KME program provides the following advantages:
• Enroll a large number of devices in bulk without having to manually enroll each device.
• Allow the KME devices to automatically install the Knox Manage application when the KME devices
are reset.
To enroll devices using the KME program, the following procedures must be performed.
Register devices to KME

Log in to the KME portal. Create MDM profiles. through Knox Reseller Portal
or Knox Deployment App.
Log in to Knox Manage Assign MDM profiles

for enrollment. to the KME devices.
Note For more information about the KME program, refer to the KME Admin Guide (https://docs.
samsungknox.com/KME-Getting-Started/Content/about-kme.htm).
Device 99
Before using Knox Mobile Enrollment
To use Knox Mobile Enrollment (KME) properly, the followings must be prepared:
• See the list of available countries at the Samsung Knox website and check if the KME program is
available in your country.
• Prepare a device from the following carrier or reseller to use the KME program:
–– A distributor approved by the KME program
–– A dealer sharing IMEI or serial numbers directly with the Samsung representative
• Make sure the devices are Samsung Galaxy devices with Knox 2.4 or higher.
• Sign up for an account in the Samsung Knox Web Portal.
• To install Knox Manage, devices must have more than 50% of their battery charged.
• Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices
are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information
about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.
Logging in to the Knox Mobile Enrollment Portal

To use Knox Mobile Enrollment (KME), you should log in to the Knox Mobile Enrollment Portal.
To log in to the Knox Mobile Enrollment Portal, complete the following steps:
1. Visit the Knox Portal at https://www.samsungknox.com, and click Sign in in the upper right-corner
of the screen.
2. Enter a Samsung account ID and password, and then click SIGN IN.
3. On the main Knox Portal page, navigate to SOLUTIONS > Knox Mobile Enrollment.
4. On the Knox Mobile Enrollment page, click Get Started.
5. Enter a work email address and click APPLY FOR FREE. If the application is approved, you will
receive a welcome email with instructions on Knox Mobile Enrollment (KME).
6. On the My Knox solutions page, click LAUNCH CONSOLE on Knox Mobile Enrollment.
Device 100
Creating MDM profiles
Before enrolling devices, create MDM profiles for Android (Legacy) and Android Enterprise through
the Knox Mobile Enrollment Portal.
Knox Manage supports two types of KME enrollments for MDM profiles: Android (Legacy) and
Android Enterprise:
Profile type Targeted device Description
Create this profile for the legacy method of managing

Device Admin Android Legacy
devices.
Create this profile for fully managed or dedicated

Device Owner Android Enterprise
devices.
Creating MDM profiles for Android Legacy devices

To create MDM profiles for the Device Admin profile type, complete the following steps:
1. On the Knox Mobile Enrollment Portal, navigate to MDM Profiles.
2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.
3. On the “Select profile type” page, click DEVICE ADMIN.
4. On the “Device Admin profile details” page, enter the following basic information
• Profile Name: Enter an appropriate profile name to distinguish it from others with similar
attributes. Special characters are not permitted.
• Description: Enter a profile description (200 characters maximum) to further differentiate this
profile from others.
• MDM Server URI: Enter the Knox Manage server for the relevant regions as stated in the
following table:
Region Domain
Asia https://ap01.manage.samsungknox.com
US https://us01.manage.samsungknox.com
EU https://eu01.manage.samsungknox.com
Note Once you have created an MDM profile, you cannot change the MDM server URI.
• Server URI is not required for my MDM: Select this option if you either do not need to point to
the MDM’s enterprise installation or are unable due to connection restraints.
Device 101
5. Click CONTINUE.
6. On the “Device Admin profile settings” page, set the following MDM configuration settings.
• MDM Agent APK: Click ADD MDM APPS and enter the Knox Manage APK link information
stated in the following table, and then click SAVE. The application will be automatically installed
on the device when it connects to the internet.
Region Domain
Asia http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk
US http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk
EU http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk
• Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId
and TenantType in the java script object notation (JSON) format, as in {”TenantId”:”YOUR_
TENANT”, ”TenantType”:”M”}.TenantId refers to the name of your Knox Manage
company account. It occurs after @ in your Knox Manage Username. For example, your
JSON data entry may be used as follows: {”TenantId”:”knoxteam.samsung.com”,
”TenantType”:”M”}. For more information about JSON and related technology, go to http://
json.org.
7. Set the following device settings.
• Enrollment settings: Select the additional enrollment setting options.

Note The Skip Setup Wizard option performs independently from the Allow end user to cancel
enrollment, and both options can be enabled at the same time.
–– Skip Setup Wizard: Skips the setup wizard screen and allows you to start the enrollment
process much faster.
Note This option is not currently available on all AT&T devices.
–– Allow the end user to cancel enrollment: Permits end-users to cancel enrollment on their
devices.
• Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the
specific privacy policy text displayed to device users based on their geographic region.
• ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.
• Support contact details: View the support contact details.
Device 102
• EDIT: Update the company name, company address, support phone number, and support email
address displayed on the devices after successful enrollment. If required, click Save as default
support contact details to use this same information as the default contact information.
Note If the device owner (DO) support is enabled for the profile, then only the client name is editable,
and the remaining fields are inactive.
• Associate a Knox license with this profile: Pass the Knox license key directly to the intended
device for easier Knox profile configuration.
8. Click CREATE to create the device admin supported profile configuration for Android (Legacy). To
view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.
Creating MDM profiles for Android Enterprise devices

To create MDM profiles for the Device Owner profile type, complete the following steps:
2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.
3. On the “Select profile type” page, click DEVICE OWNER.
4. On the “Device Owner profile details” page, enter the following basic information for the device
owner profile.
• Profile Name: Enter an appropriate profile name to distinguish it from others with similar
attributes. Special characters are not permitted.
• Description: Enter a profile description (200 characters maximum) to further differentiate this
profile from others.
5. Enter the following MDM information for the device owner profile.
• Pick your MDM: Select the specific Knox Manage MDM profile assigned the device owner
privilege.
• MDM Agent APK: Enter the Knox Manage APK link information stated in the following table.
The application will be automatically installed on the device when it is connected to the
internet.
Region Domain
Asia http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk
US http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk
EU http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk
Device 103
• MDM Server URI: enter the Knox Manage server for the applicable region as stated in the
following table:
Region Domain
Asia https://ap01.manage.samsungknox.com
US https://us01.manage.samsungknox.com
EU https://eu01.manage.samsungknox.com
Note Once you have created a MDM profile, you cannot change the MDM server URI.
6. Click CONTINUE.
7. On the “Device Owner profile settings” page, set the following MDM configuration settings.
• Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId
and TenantType in the java script object notation (JSON) format, as in {”TenantId”:”YOUR_
TENANT”, ”TenantType”:”M”}.TenantId refers to the name of your Knox Manage
company account. It occurs after @ in your Knox Manage Username. For example, your
JSON data entry may be used as follows: {”TenantId”:”knoxteam.samsung.com”,
”TenantType”:”M”}. For more information about JSON and related technology, go to http://
json.org.
• Dual DAR: Secures the KME enrollment data with two layers of encryption, even when the
device is powered off or in an unauthenticated state.
Note The Dual DAR function is only supported on devices running Knox version 3.4 or higher.
–– Enable Dual DAR: Enable the Dual DAR function. If the Dual DAR function is enabled, click the
checkbox next to Use3rd party crypto app and click ADD PACKAGE NAME AND SIGNATURE
to enter the package name and signature for using the 3rd part crypto app.
8. Set the following devices settings.
• System apps: Select the system application settings.

–– Disable system applications: Disable all applications to the device owner supported profile.
–– Leave all system applications enabled: Enable all applications on the device owner
supported profile. If this option is not selected, only the default applications and the Knox
Manage application are installed on the user devices.
• Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the
specific privacy policy text displayed to devices users based on their geographic region.
–– ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.
• Company name: Enter the MDM organization name displayed at the time of device enrollment.
Device 104
9. Click CREATE to create a device owner supported profile configuration for Android Enterprise. To
view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.
Modifying MDM profiles

To modify an MDM profile, complete the following steps:
2. On the profile list, click the checkbox next to the profile name to modify its information.
3. Modify the selected profile information, and then click SAVE.
Note Once you have created an MDM profile, you cannot change the MDM server URI.
Registering devices to the Knox Mobile Enrollment Portal

Depending on the device purchase type, you can register devices to the Knox Mobile Enrollment
Portal using the following methods
• Knox Reseller Portal: For devices purchased from approved Samsung resellers
• Samsung Knox Deployment App (NFC tagging): For devices purchased from third-party resellers,
or for the purpose of testing
For devices purchased from approved Samsung resellers

If the devices were purchased from approved Samsung resellers, you can register the devices to the
Knox Mobile Enrollment Portal using the Knox Reseller Portal. For more information on using the
Knox Reseller Portal and how to register devices, see the Knox Reseller Portal Admin Guide (https://
docs.samsungknox.com/samsung-reseller-guide/Content/manage-devices.htm) and follow the
instructions.
After the devices are registered successfully, on the Knox Mobile Enrollment Portal, navigate
to Devices > UPLOADS to view the registered device information with the reseller’s information
including the registration date and the number of devices, IMEI information, and applied profiles.
For devices purchased from third-party resellers

To register devices purchased from third-party resellers or for the purpose of testing to the Knox
Mobile Enrollment Portal using the Samsung Knox Deployment app through NFC tagging, complete
the following steps:
Note The user information must be registered in the Knox Mobile Enrollment Portal to register the
devices. For more information on how to add device users, see Adding new device users.
Device 105
1. Download the “Samsung Knox Deployment” app from the Google Play Store on your device and
install it.
2. Run the “Samsung Knox Deployment” app on your device.
3. On the login screen, enter your Knox Mobile Enrollment Portal user ID and password, and then tap
SIGN IN.
4. Tap ENROLL VIA NFC.
Note The NFC mode on your device must be turned on for NFC tagging.
5. On the “Get started” screen, tap START.
6. Select a desired MDM profile to apply, and then tap NEXT.
7. Tag the user device to your device. To view the information of the registered devices on the Knox
Mobile Enrollment Portal, navigate to Devices > UPLOADS.
Assigning MDM profiles and user credentials

After the devices are registered in the Knox Mobile Enrollment Portal, assign the MDM profiles and
user credentials to the registered devices. You can assign them to the registered devices either
individually or in bulk using a CSV file.
Individual Assignment
To assign MDM profiles and user credential to a registered device individually, complete the following
steps:
1. On the Knox Mobile Enrollment Portal, navigate to Devices.
2. At the top of the “Devices” page, click the ALL DEVICES tab.
3. On the device list, click the checkboxes next to IMEI information to assign an MDM profile and
user credential to them. Alternately, you can also click the checkboxes next to IMEI information,
and then click ACTIONS > Configure devices.
Note The device windows appear differently depending on how many devices on the list you select.
Device 106
4. On the “Device Details” or “Configure selected devices” window, enter the following device
information.
• “Device Details” window (When configuring a single selected device)

–– MDM Profiles: Select the desired MDM profile from the drop-down list to assign it to the
selected device.
–– Tags: Enter a tag to use when searching for specific devices.
–– User ID: Modify the Knox Manage user ID.
–– Password: Modify the Knox Manage user password.
• “Configure selected devices” window (When configuring two or more selected devices)
–– Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-
down list to assign to the selected device.
–– Add tags to selected devices: Enter a tag to use when searching for specific devices. Click
the checkbox next to Overwrite existing tags if you want to use the newly entered tag to
overwrite existing tags.
–– User credentials: Select one of the following options for the user credentials of devices from
the drop-down list.
–– Keep current credentials: Maintain the existing user credential information for the selected
devices.
–– Clear user credentials: Remove the existing user credential information for the selected
devices.
–– Overwrite user credentials: Modify the user ID and password.
5. Click SAVE to save the modified device details. The device status changes to Profile assigned. To
update the device status, click Refresh.
Bulk Assignment
You can assign the MDM profiles and user credentials for up to 10,000 registered devices at once.
To assign MDM profiles and user credential to a registered device individually, complete the following
steps:
2. On the “Devices” page, click ALL DEVICES > ACTIONS > Download devices as CSV at the bottom
of the page to download the kme_devices.csv file.
3. Open the downloaded CSV file and enter the information in the columns of the Excel file, and then
save the file as a .csv file.
4. At the left bottom of the Knox Mobile Enrollment Portal, click BULK CONFIGURE.
5. On the “Bulk actions” page, read the instructions to ensure the CSV file is completely filled out, and
then click View instructions.
6. On the “Bulk configure” page, click BROWSE, and then select the saved .csv file.
Device 107
7. In the “(Optional) Configure profiles and tags” area, enter the following information.
• Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-
down list to assign it to the selected devices.
• Tags: Enter a tag to use when searching for specific devices. Click the checkbox next to
Overwrite existing tags if you want to use the newly entered tag to overwrite existing tags.
8. Click SUBMIT. To view the bulk-added information, navigate to Devices > ALL DEVICES.
Adding new device users

You can add a new device user to the list of existing users.
To add a new device user, complete the following steps:
1. On the Knox Mobile Enrollment Portal, navigate to Device Users.
2. On the “Device Users” page, click ADD DEVICE USERS to add a new device user.
3. On the “Add device user” window, enter a user ID and password to create unique KME device user
credentials.
Note The user ID and password should both be the credentials of the Knox Manage.
4. Click ADD to add new device user.
Unenrolling KME devices

To disable the use of KME devices, you must unenroll them in the Knox Manage Admin Portal, and
then delete them in the Knox Mobile Enrollment Portal. For more information about how to unenroll
enrolled devices in the Knox Manage Portal, see Unenrolling devices.
To delete the KME devices, complete the following steps:
2. On the “Devices” page, click the ALL DEVICES tab.
3. On the device list, click the checkboxes next to the IMEI information to delete the registered
device, click ACTIONS > Delete devices.
4. In the “Delete device user?” window, click DELETE. The selected devices will be deleted from the
KME Portal.
Note Once a device is deleted from the KME Portal, the device is permanently removed from the
system.
Device 108
Using Zero Touch Enrollment (Android Enterprise devices only)
Zero Touch Enrollment (ZTE) allows you to quickly and easily enroll a large number of corporate-
owned Android Enterprise devices for non-Samsung devices. Once the devices are registered to
the ZTE Portal, the devices are automatically enrolled when users connect to the Internet and log
in to Knox Manage. Even if you reset the devices enrolled by ZTE, the Knox Manage application is
reinstalled automatically and the devices are re-enrolled in to Knox Manage.
ZTE provides the following advantages:
• Enrolls a large number of devices in bulk without having to manually enroll each device.
• Allows the ZTE devices to automatically install the Knox Manage application when the ZTE devices
are reset.
• Prevents unauthorized devices from joining your EMM environment to enhance your security.
• Allows resellers to add devices to the ZTE Portal.
To enroll devices using ZTE, the following procedures must be performed.
Log in to
Create Knox
the Zero Touch Enrollment
Manage configurations
Portal.
Log in to Knox Manage Assign Knox

for enrollment. Manage configurations
to ZTE devices.
Note For more information about ZTE, refer to the https://www.android.com/enterprise/management/

zero-touch/#partners.
Before using Zero Touch Enrollment (ZTE)

To use Zero Touch Enrollment (ZTE) properly, the following must be prepared:
• Make sure that the devices are compatible with ZTE from the list of Android Zero Touch Devices at
https://androidenterprisepartners.withgoogle.com/devices/#!#Zero-touch.
• Prepare a device from the following carrier or reseller to use ZTE:

–– Zero touch reseller partner
–– Google partner and not from a consumer store.
Device 109
• Make sure the devices are running on Android Oreo (8.0 and later) or a Pixel phone with Android
Nougat (7.0).
• Sign up for a Google account associated with the corporate email. A personal Gmail account
cannot be used. To create a Google account for the corporate, visit the Google website at https://
accounts.google.com/signup/v2/webcreateaccount?flowName=GlifWebSignIn&flowEntry=SignUp
&nogm=true.
• Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices
are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information
about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.
Logging in to the Zero Touch Enrollment (ZTE) Portal

You can log in to the Zero Touch Enrollment (ZTE) Portal using the Google account with the corporate
email.
To log in the ZTE Portal, complete the following steps:
1. Visit the ZTE Portal at https://partner.android.com/zerotouch.
2. Enter your Google account information and then click NEXT to log in to the ZTE Portal. Once you
have logged in to the ZTE Portal, the following navigation pages are provided on the ZTE Portal.
• Configurations: Create, modify, and delete Knox Manage configurations.

• Devices: Displays the registered device list. You can assign also apply the created Knox
Manage configurations to the selected devices on the list.
• Users: Add, modify, or delete the users who can access and manage the portal.
• Resellers: Add resellers to share your account with multiple resellers.
Creating Knox Manage configurations

To create Knox Manage configurations, complete the following steps:
1. On the Zero Touch Enrollment (ZTE) Portal, navigate to Configurations.
2. On the “Configurations” page, click .
3. In the “Add a new configuration” window, enter the following information.
• Configuration name: Enter a configuration name.

• EMM DPC: Select Samsung Knox Manage from the EMM DPC dropdown list.
• DPC extras: Enter the JSON data (Samsung Knox Manage DPC extras) as follows.
Device 110
{
“android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED”:true,
“android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE”: {
“ServerUrl”: “Your Server Url”,
“TenantId”: “Your Knox Manage Tenant ID”,
“TenantType”: “M”,
“Method”: “ZeroTouch”
}
}
Note Enter the server URL of the DPC extras for the applicable region as stated in the following table:
Region Domain
Asia https://ap01.manage.samsungknox.com/emm
Asia (India only) https://ap02.manage.samsungknox.com/emm
US https://us01.manage.samsungknox.com/emm
EU https://eu01.manage.samsungknox.com/emm
• Company Name: Enter the name of your organization. It will be displayed on the user’s device
during enrollment.
• Support email address: Enter a corporate IT admin email address. It will be displayed on the
user’s device during enrollment, and it can be used to contact the IT admin in case of any
enrollment issues.
• Support phone number: Enter a corporate IT support phone number. It will be displayed on
the user’s device during enrollment, and it can be used to contact the IT admin in case of any
enrollment issues.
• Custom message: Enter an optional message to be displayed on the device screen during
enrollment.
4. Click Add to create a new Knox Manage configuration.
Device 111
Assigning Knox Manage configurations to ZTE devices
Once Zero touch reseller partners have registered devices in the Zero Touch Enrollment (ZTE) Portal,
assign the newly created Knox Manage configurations to the devices. You can assign them to the
registered devices either individually or in bulk using a CSV file.
Individual Assignment
To assign a Knox Manage configuration to a device individually, complete the following steps:
1. On the Zero Touch Enrollment (ZTE) Portal, navigate to Devices.
2. On the “Devices” page, select the devices to which configurations are to be applied to on the
device list, and then, under Configuration, against the selected devices, the Knox Manage
configuration which you have created previously.
Bulk Assignment
To assign Knox Manage configurations to multiple devices at once using a CSV file, complete the
following steps:
2. On the “Devices” page, click > Download results as .csv to download the CSV file, and then
enter the device information in the CSV file.
• Open the CSV file and fill out the following fields in the file.
Field Example Description
This field should be always set as IMEI in uppercase

modemtype IMEI
characters.
modemid 123456789012347 Enter the IMEI number of the device.
serial ABcd1235678 Enter the serial number of the device.
model VM1A Enter the model name of the device.
manufacturer Google Enter the name of the device manufacturer.
This field should always be set as ZERO_TOUCH in

Profiletype ZERO_TOUCH
uppercase characters.
Enter the numeric ID of the configuration you want to apply

to the device. To see the configuration ID, check the table's
Profileid 54321
ID column on the “Configurations” page. To remove the
device from zero-touch enrollment, enter 0 (zero).
3. On the “Devices” page, click > Upload batch configurations, and then select the saved .csv
file to upload it. All the devices in the CSV file will be assigned to the specific Knox Manage
configuration.
Device 112
Logging in to Knox Manage for enrollment
After the Knox Manage configuration is assigned to ZTE devices, log in to Knox Manage to enroll the
devices.
To log in to Knox Manage for enrollment, complete the following steps:
1. Turn on the factory-reset device, and then tap Start on the Zero Touch Device Enrollment screen.
2. On the “Connect to mobile network” screen, insert a sim card or tap Skip.
3. On the “Connect to mobile network” screen, tap an available Wi-Fi network to connect to a
network. The device will check for updates.
4. On the “Set up your device” screen, read the privacy policy of Knox Manage and Google, and then
tap Accept & continue. The device will get account information for Knox Manage.
5. On the “Google Services” screen, tap Accept. The Knox Manage application will be installed and
launched automatically on the device.
and then tap SIGN IN to sign in to Knox Manage.
7. On the Knox Manage terms and agreements screen, read the terms of use, privacy policy, and end-
user license agreement, tap the checkbox next to Agree all, and then tap NEXT.
8. On the “Display over other apps” page, if required, tap All display over other. The device will be
registered and enrolled in the Knox Manage Admin Portal.
Deleting ZTE devices from the Zero Touch Enrollment (ZTE) Portal
You can delete devices from the ZTE Portal if you are required to transfer ownership. You can delete
one device at a time by selecting devices in the ZTE Portal.
To delete devices from the ZTE Portal, complete the following steps:
Note After you delete a device, you need to contact your reseller if you want to register the device in the
ZTE Portal again. Consider removing the Knox Manage configuration, if you want to temporarily
exclude a device from the ZTE Portal.
2. On the “Devices” page, select the device you want to remove, and then click DEREGISTER.
3. In the “Deregister device?” window, click DEREGISTER to delete the devices from the ZTE Portal.
Device 113
Using the Apple Device Enrollment Program (iOS devices only)
The Apple Device Enrollment Program (DEP) allows you to quickly and easily enroll a large number of
organization-owned Apple devices. The devices are automatically enrolled when users connect to the
internet and log in to Knox Manage. Even if you reset the devices enrolled by DEP, the Knox Manage
application is re-installed automatically and the devices are re-enrolled in to Knox Manage.
DEP provides the following advantages:
• Prevent end-users from deleting the MDM profiles installed on the devices.
• Provision devices in Supervised mode (iOS only). If the devices are in Supervised mode, you can
access additional security and configuration settings.
• Prevent iCloud backup by disabling users from signing in with their Apple ID when generating a
DEP profile.
• Force OS updates for all end users.

• Bulk-deploy policies to DEP devices. Once the devices are enrolled, the policies cannot be deleted
by users.
To enroll devices using ZTE, the following procedures must be performed.
Issuing a DEP token

Registering iOS devices
issued by Apple.
to the DEP Portal.
Log in to Knox Manage

Setting DEP profiles.
for enrollment.
Note For more information about the Apple Device Enrollment Program (DEP), visit the Apple website at
https://www.apple.com/business/docs/site/DEP_Guide.pdf.
Device 114
Before using the Apple Device Enrollment Program
To use the Apple Device Enrollment Program (DEP) properly, the followings must be prepared:
• Prepare a device from an Apple store, Apple theorized reseller, or carrier.

• Make sure the devices are iOS 9.0 or later.
• Register for an Apple DEP account in the Apple DEP Portal at https://deploy.apple.com/qforms/
open/register/index/avs.
Issuing a DEP token

To use Apple Device Enrollment Program (DEP), you must request for a DEP token issued by Apple
through a public key, and then set up DEP in the Knox Manage Admin Portal.
To issue a DEP token and set up DEP, complete the following steps:
1. Navigate to Setting > iOS > DEP Server Setting. If you have issued a DEP token before, the
previously issued DEP token’s information and its expiration date are displayed.
2. On the “DEP Server Setting” page, click Public Key Download to download a public key in the .pem
format required to create a new MDM server in the Apple DEP Portal.
3. Visit the Apple DEP Portal at https://business.apple.com, and then enter your Apple ID and
password to log in.
4. On the Apple DEP Portal of the “Device Enrollment Program” page, click Get Started.
5. On the Apple DEP Portal, navigate to Device Enrollment Program > Manage Servers, and then,
click Add MDM Server.
6. On the ”Add MDM Server” window, enter an MDM server name to refer to the server, department or
location and then click Next.
• Automatically Assign New Devices: Allow any new devices enrolled to the DEP account to
automatically be assigned.
7. Click Choose File to select the public key downloaded from the Knox Manage Admin Portal, and
then click Next to upload the public key.
8. Click Your Server Token to download the Apple token file in a .p7m format, and then click Done.
If the MDM server is successfully added to the Apple DEP Portal, you can view the MDM server
information on the Manage Server list.
Note Using a single token to enroll the DEP devices for one company is recommended.
Device 115
9. On the “DEP Server Setting” page of the Knox Manage Admin Portal, click Browse, and then select
the DEP token file in the .p7m format issued by Apple.
10. Click Upload. If the DEP token file is uploaded successfully, the authentication processes
between the Knox Manage server and the Apple’s DEP server is completed.
11. Click Set Default Profile to set up a profile to be assigned to the DEP devices by default, and then
click OK.
Note For more information on setting a general profile, see Setting DEP profiles.
12. Enter the sync interval time in hours to set the sync interval of the DEP devices, and then click
Setting.
Registering DEP devices

After the Device Enrollment Program (DEP) server is all set up, register iOS devices with the MDM
server in the Apple DEP Portal.
To register iOS devices in the Apple DEP Portal, complete the following steps:
password to log in.
2. On the Apple DEP Portal, navigate to Device Enrollment Program > Manage Devices to assign iOS
devices to the MDM server you have already created.
3. Select the method for registering iOS devices from Choose Devices By:
• Assign Device by Serial Number: Enter a list of device serial numbers to register the iOS device.
• Assign Devices by Order Number: Enter the Apple Purchase Order number so that the devices
are added automatically.
• Upload a .csv File: Upload a .csv file that includes the serial numbers.
4. Select Assign to Server as Action, and then select the MDM server group.
5. Click OK. If the iOS devices are registered successfully in the Apple DEP, navigate to Device
Enrollment Program > Manage Servers > View Assignment History to view the registered device
information and its assignment history.
Device 116
Setting DEP profiles
After the iOS devices are registered to the Apple Device Enrollment Program (DEP) Portal, you must
set the DEP profile to be assigned to the devices through the Knox Manage Admin Portal.
The DEP profile is applied to the DEP devices when the DEP devices are enrolled.
To set a DEP profile, complete the following steps:
1. Navigate to Setting > iOS > DEP Device Management.
2. On the “DEP Device Management” page, click Set Default DEP Profile.
3. On the “Set DEP profile” window, set the following items in the DEP profile:
• Supervised Mode: Click the checkbox next to Apply to enable the supervised mode that is only
available on iOS devices and must be applied to the DEP devices.
–– Delete MDM profile: Click the checkbox next to Allow to allow users to delete the MDM
profile.
–– Supervising host certificate list: Click Add to add the registered certificate to the Apple
device you want to pair with the DEP devices.
• Pairing: Click to allow other Apple devices to pair with the DEP devices.
• Skip Settings: Select the items that appear during the device setup process after users turn on
their DEP devices for the first time. If the items are checked, they do not appear on the window.
4. Click Save to save the set DEP profile.
Managing DEP devices

In the Knox Manage Portal, the DEP devices registered in the Apple Device Enrollment Program (DEP)
are managed. You can synchronize with the DEP server in the Apple DEP Portal to update the DEP
device list in the Knox Manage Portal, modify and assign DEP profiles, and control DEP devices.
Viewing the DEP device details

To view the DEP device details in the Knox Manage Portal, complete the following steps:
2. On the “DEP Device Management” page, click the serial number of the desired DEP device on the
list to view its details.
3. In the “Device Detail” window, view the selected DEP device information.
Device 117
Synchronizing with the DEP server
To synchronize with the DEP server and the Apple DEP Portal to update the DEP device list in the
Knox Manage Portal, complete the following steps:
2. On the “DEP Device Management” page, click to synchronize with the DEP server.
3. On the “DEP device sync” window, click OK. The DEP device list in the Knox Manage Portal will be
updated.
Note If the server token has expired, you can no longer update the DEP device list.
Modifying and assigning the DEP profiles

To modify and assign DEP profiles to DEP devices, complete the following steps:
2. On the “DEP Device Management” page, click the checkboxes next to the DEP devices on the DEP
device list, and then click to modify the DEP profile.
3. On the “Set DEP profile” window, modify the desired DEP profile items, and then click Save to save
the set DEP profile and return to the “DEP Device Management” page. For more information on
setting the DEP profiles, see Setting DEP profiles.
4. Click to synchronize with the DEP server to update the DEP device list. The modified DEP
profile will be assigned to the DEP devices.
Device 118
Unenrolling DEP devices
If you want to use DEP devices as general iOS devices or if the DEP devices are no longer required,
you can unenroll the DEP devices in the Apple Device Enrollment Program (DEP) Portal.
To unenroll DEP devices, complete the following steps:
password to log in.
2. On the Apple DEP Portal of the “Device Enrollment Program” page, click Get Started.
3. On the Apple DEP Portal, navigate to Device Enrollment Program > Manage Servers.
4. On the “Server Details” page, click an MDM server to disable and delete it, and then click Delete
Server.
5. In the “Are you sure you want to delete this server?” window, click Delete. All the DEP devices on
this server will be deleted.
Note To delete the MDM server and relocate the DEP devices on this server, select Reassign Devices
from the drop-down list. Then, select a different MDM server where you want to relocate the MDM
devices to and click Delete.
6. On the Knox Manage Portal, Navigate to Setting > iOS > DEP Device Management.
7. On the “DEP Device Management” page, click to synchronize with the DEP server.
8. In the “DEP device sync” window, click OK. The DEP device list in the Knox Manage Portal will be
updated according to the DEP server, and the DEP devices on the DEP server in the Knox Manage
Portal will be deleted.
Device 119
Managing devices
Managing devices
You can change the device’s status or send device commands to manage the devices registered in
Knox Manage.
Unenrolling devices
You can unenroll the devices registered in the Knox Manage server. The methods for unenrollment
differ depending on the device type.
To delete the Work Profile from Android Enterprise devices or delete Knox Manage from Fully
managed devices, send the Unenroll service command to devices.
Note When you unenroll Fully Managed or the Fully Managed with Work Profile devices, the devices will
be factory reset and the microSD cards of the devices with Android 7.0 (Nougat) - 8.0 (Oreo) can
be wiped. Please be cautious of potential data loss.
To simply change a logged in user’s details, send the Delete account command, and then allow the
user to log in again.
Unenrolling connected devices

To unenroll devices that are connected to the server, complete the following steps:
1. Navigate to Device.
2. On the “Device” page, click a checkbox for a device you want to unenroll.
3. Click Unenroll.
4. In the “Unenroll Device” window, click OK.
Device 120
Unenrolling disconnected devices
When a device is unable to communicate with the server, you can send an offline unenrollment code
to the device. Then, the user can change the device’s status manually and unenroll the device.
To unenroll devices that are offline, complete the following steps:
2. On the “Device” page, click a checkbox for a device you want to unenroll.
3. Click Unenroll.
4. In the “Unenroll Device” window, check the Offline Unenrollment Code.
5. Click Force Unenroll.
• The unenrollment device command will be sent to the device.

6. Inform users of the use of the offline unenrollment code from step 4.
• When the user enters the received offline unenrollment code, the device will become
unenrolled, corresponding to its status on the server.
Note You can choose to delete the internal applications installed on Android devices and all of the
applications installed on devices with iOS 9.0 or above upon unenrollment.
To set automatic deletion, navigate to Setting > Configuration, and then set Delete App upon
Unenrollment under Category : MDM to TRUE.
Allowing the users to unenroll their devices

If a device is connected to a network and can establish communication with the server, then users
can unenroll the devices by uninstalling the agent.
To allow the user to uninstall the agent, complete the following steps:
1. Navigate to Setting > Knox Manage Agent Policy.
2. On the “Knox Manage Agent Policy” page, click the ”Default” tab.
• You can also add more agent policy sets by clicking .
3. Set the Allow Unenroll Request policy to Allow.
4. Click Save & Apply.
Device 121
Sending device commands to devices
You can send device commands to enrolled devices by user, organization, group, or device and
control them remotely. For devices with Knox Workspace or Work Profile, you can select the tab
of the area on the top you want to send a device command to. Available device commands vary
depending on the device type. For more information on each device command, see the list of device
commands.
Note In general, device commands take a higher priority than profile policies. However, policies take
a higher priority than the following device commands: Install, Run, Uninstall, Locate the current
position, and Reset SD Card. For more information, see the list of device commands.
To send device commands, complete the following steps:
2. On the “Device” page, click the checkbox next to the device name to send a device command to,
and then click Device Command.
3. In the “Device Command” window, select the desired device command.
• For devices that have a Knox Workspace, click the target area between General and KNOX -
LightWeight Knox.
• For Fully Managed with Work Profile devices, click a target area between Fully Managed Device
and Work Profile.
4. In the “Request Command” window, click OK.
Checking device commands in request

Check device commands that have not been sent successfully due to network or system issues. You
can resend the device commands in request or delete them individually or altogether. You can also
download all device commands in queue as an Excel file.
Note If no device command has been sent within the past six hours of restarting the device, then Knox
Manage Agent requests the server for a device command and can have it resent to the device.
Device 122
To check the device commands in request and resend or delete them individually or altogether,
complete the following steps:
1. Navigate to Service Overview > Device Command in Request.
2. Enter a request date, and user ID or mobile ID, and then click Search.
3. View the information of the device commands that have been found.
• To resend the device commands in request, click the checkboxes of the device commands to
resend, and then click Re-Request.
• To delete the device commands in request, click the checkboxes of the device commands to
delete, and then click Cancel Request.
Note To set the Knox Manage server to resend the device commands in request automatically, navigate
to Setting > Configuration, and then set the number next to Daily retries for device commands in
request.
Viewing device command history

You can view the device command history and related audit logs by date. You can also view the
details about the results of device commands, and collect the device control audit logs for each
event. For more information about audit log items, see Viewing audit logs.
To view the device command history, complete the following steps:
2. On the “Device” page, click a device name or a tag.
3. On the “Devices Detail” page, click the “Command History” tab.
4. Click a command name to view the audit result of the device command.
Note To view the device command logs by each platform, navigate to Service Overview > History >
Group Command History, enter a request date and a group ID or organization name, click Search,
and then click a group or organization name.
Device 123
List of device commands: Android Enterprise
The available device commands vary depending on the Android Enterprise manage types. For Fully
Managed with Work Profile devices, you can select either Fully Managed or Work Profile to send
device commands to.
Device
Device command Description
Sends the latest profile and application information to the device and
Apply Latest Profiles
controls the device with the profile and information.
Enable EAS (Samsung Email

Allows using Exchange ActiveSync for Samsung Email application.
App Only)
Disable EAS (Samsung

Disallows using Exchange ActiveSync for Samsung Email application.
Email App Only)
Locks a device. You can enter a reason for locking the device and a phone
number to contact when the device is lost. The entered information
appears on the locked device screen.
Lock Device
Note For non-Samsung Android devices, this policy supports only
the devices with Android 8.0 (Oreo) and lower.
Unlocks a device.
Unlock Device Note For non-Samsung Android devices, this policy supports only
the devices with Android 8.0 (Oreo) and lower.
Locks the device screen. If the device's screen is password-locked, then

Lock Screen
the user needs to enter the password to access the screen again.
Performs factory reset and changes the device status to Unenrolled.
• Initialize SD Card when factory reset: Click the checkbox to initialize the
SD card during a factory reset.
Factory Reset
• Deactivate Factory Reset Protection: This only appears when the profile
is applied with the Factory Reset Protection policy or when you send a
device command to multiple devices. Click the checkbox to perform a
factory reset without the Factory Reset Protection policy.
Turns off the device.
Power Off Device Note Only Samsung Galaxy devices are supported except the
devices with Android 10 (Q).
Reboot Device Reboots the device.
Device 124
Resets the device’s screen lock password and creates a temporary

password. After sending the device command, the temporary password
Reset Screen Password that can be found on the device’s detailed information page will be
delivered to the user. For more information, see the screen lock password
in Viewing the device details.
Initializes the external SD card of the device.
Note For devices whose External SD Card policy is set to

Reset SD Card Disallowed in the profile, you cannot reset the SD card using
the device command, because the policy takes a higher
priority than the device command.
Resets data usage among the Android device's inventory information.
• Wi-Fi transfer data (in/out)

Reset Data Usage • Network transfer data (in/out)
Note Only Samsung Galaxy devices are supported except the
devices with Android 10 (Q).
Resets the number of call(s) and number of missed call(s) among Android
device’s inventory information,
Reset Number of Calls
• Number of call(s)
• Number of missed call(s)
Deletes certificates installed by Knox Manage. You can select a certificate
Delete a CA Certificate
to delete.
Deletes certificates installed by the administrator. You can select a

Delete a User Certificate
certificate to delete.
Delete a User Install

Deletes all the certificates installed by the administrator.
Certificate
Application
Installs or updates applications on a device.

In the “Request Command” window, select an application to be installed or
updated.
Install or Update App
Note The Application installation blacklist/whitelist policies take a
higher priority than device commands.
Device 125
Deletes applications from a device.

In the “Request Command” window, select an application to be uninstalled.
Uninstall App
Note The Application uninstallation prevention list setting policy
takes a higher priority than device commands.
Apply Latest internal App Sends the latest internal application information and updates the device
Information according to the information.
Knox Manage
Sends an emergency message to the device. The message icon is shown

on the status bar of the device.
Push Notification
In the “Push Notification” window, enter the title and content of the
message.
Unenroll Device Unenrolls a selected device on the device list.
Update License Updates the license of a selected device on the device list.
Updates the Knox Manage Agent on the device for a new patch or version.
Update Knox Manage The agent information registered in the Knox Manage server is sent to a
device. The device automatically selects the appropriate agent to request
installation files from the server.
Updates the device user information such as the user activation status/
username/user settings (Secure Browser website URL information,
Update User Information bookmark information) and license information.
If the user is logged out from the enrolled device, you can send this device
command to enable the user to log in to Knox Manage automatically.
Locks the Knox Manage Agent.

When the application is locked, the users have to enter the screen lock
Lock Screen of Knox password which was configured during installation. If a user forgets the
Manage Agent password of Knox Manage Agent screen lock, you can send the Delete
Account command and make the user logged out from the Knox Manage
Agent. Then, the user can set the password again upon login.
Unlock Knox Manage Agent Unlocks the Knox Manage Agent.
Delete Account Deletes the account registered in the Knox Manage Agent.
Collects the Knox Manage audit logs of the device. When the log size
Collect Audit Log exceeds the maximum size, logs are automatically sent to the server, but
the log file may be lost. For more detailed information, see Viewing audits.
Collect Device Log Collects the logs of devices.
Device 126
Collect Diagnosis
Collects a device log to diagnose the cause of device lock,
Information
Device Info.
Shows the current location of the device.
Collect current location To view the location of a device after sending a device command,
navigate to Device, click the checkbox for the device, and then click Check
Location.
Updates the inventory and application information on the device.
Sync Device Information To view the updated information after sending the device command,
navigate to Device, click a device name or tag, and view the information on
the “Device Detail” page.
Updates the information of installed applications.
Sync Installed App List To view the list of installed applications after sending a device command,
navigate to Device, click a device name or tag, and click the “Application”
tab.
Authenticate SIM Card Authenticates the SIM card on a device.
Authenticate SD Card Authenticates the external SD card on a device.
Checks if a device’s OS has been compromised. The result can be found

Attestation
from the device details.
List of device commands: Android Legacy/Knox Workspace

The available device commands vary depending on device manage type. For Android Legacy
with Knox Workspace devices, you can select either the General or KNOX area to send the device
command to.
Device
Enable EAS (Samsung Email

Allows using Exchange ActiveSync for Samsung Email application.
App Only)
Device 127
Disable EAS (Samsung

Disallows using Exchange ActiveSync for Samsung Email application.
Email App Only)
Locks a device. You can enter a reason for locking the device and a phone
number to contact when the device is lost. The entered information
appears on the locked device screen.
Lock Device
Note • For non-Samsung Android devices, Android 8.0 (Oreo) and
lower are only supported.
• Android 10 (Q) devices are not supported.
Unlocks a device.
Unlock Device
Note • For non-Samsung Android devices, Android 8.0 (Oreo) and
lower are only supported.
• Android 10 (Q) devices are not supported.
Locks the device screen. If the device's screen is password-locked, then

Lock Screen
the user needs to enter the password to access the screen again.
Factory Reset Performs factory reset and changes the device status to Unenrolled.
Turns off the device.

Power Off Device
Note Android 10 (Q) devices are not supported.
Reboot Device Reboots the device.

that can be found on the device’s detailed information page will be
Reset Screen Password delivered to the user. For more information, see the Knox password in
Viewing the device details.
Note Android 9.0 (Pie) devices are not supported.
Initializes the external SD card of the device.
Note For devices whose External SD Card policy is set to

Reset SD Card Disallowed in the profile, you cannot reset the SD card using
the device command, because the policy takes a higher
priority than the device command.
Resets data usage among the Android device’s inventory information.
• Wi-Fi transfer data (in/out)

Reset Data Usage • Network transfer data (in/out)
Note Android 10 (Q) devices are not supported.
Device 128
Resets the number of call(s) and number of missed call(s) among Android
device’s inventory information.
Reset Number of Calls
• Number of call(s)
• Number of missed call(s)
Application
Installs or updates applications on a device.

In the “Request Command” window, select an application to be installed or
updated.
Install or Update App
Runs applications on a device.

In the “Request Command” window, select an application to be run.
Run App
Note The Application running blacklist/whitelist policies take a
Stops applications on a device.

Stop App
In the “Request Command” window, select an application to be stopped.
Deletes data from applications.

Delete App data
In the “Request Command” window, select an application to be deleted.

Uninstall App
Device 129
Knox Manage

Push Notification
message.
Update License Updates the license of a selected device on the device list.
Updates the Knox Manage Agent on the device for a new patch or version.
Update Knox Manage The agent information registered in the Knox Manage server is sent to a
device. The device automatically selects the appropriate agent to request
installation files from the server.

Collect Diagnosis
Information
Device 130
Device Info.
Location.

To view the updated information after sending the device command,
Sync Device Information the “Device Detail” page.
Note For iOS devices, only the hardware status is updated.
tab.
Authenticate SIM Card Authenticates the SIM card on a device.
Authenticate SD Card Authenticates the external SD card on a device.
Checks if a device’s OS has been compromised. The result can be found

Attestation
from the device details.
Container
Only the Workspace area of Knox Workspace is supported.
Locks the Knox Workspace. Users cannot access the Knox Workspace
Lock Knox Workspace
unless you unlock it by sending this command.
Unlock Knox Workspace Unlocks the Knox Workspace.
Resets the Knox Workspace password. When the user forgets the Knox
Workspace password, this command is sent to reset the password.
Note Depending on the Android OS version, the process to re-

configure the new password may differ. For Android 8.0
Reset Knox Workspace (Oreo) or higher, the user will receive a temporary password
Password after Knox Manage authentication. And then, the user can re-
configure the new Knox Workspace password. For operating
systems lower than Android 8.0 (Oreo), the user can re-
configure the Knox Workspace password directly after Knox
Manage authentication.
Device 131
Deletes the selected Knox Workspace. Inventory information is updated on

Uninstall Knox Workspace
the server upon deletion.
List of device commands: iOS

The available device commands vary depending on device manage type.
Device
Lock Device Blocks some functions of the device without locking the device.
Unlock Device Unlocks a device.

Initializes the block settings of the device.

Initialize Blocked
Information (Supervised) Note Only iOS Supervised devices are supported.
Device 132
Application
Installs applications on a device.

In the “Request Command” window, select an application to be installed.
Install

Uninstall App
Knox Manage

Push Notification
message.

Device 133
Collect Diagnosis
Information
Sync App Auto-removal Syncs the application auto-deletion property when managed applications
Property (When service is are deactivated if the value of Delete app during Unenrollment process
deactivated) has changed in the server configuration.
Device Info.
Location.

To view the updated information after sending the device command,
Sync Device Information the “Device Detail” page.
Note For iOS devices, only the hardware status is updated.

For iOS devices, you can also request to delete application feedback when
sending the device command.
Sync Installed App List
To view the list of installed applications after sending a device command,
tab.
Checks the service connection status of the device.

To check the status of the device after sending the device command,
navigate to Device, click a device name or tag, click the “Security” tab, and
view the connection status below the device name.
Check Connection Status
• Enrolled: The device is connected to the Knox Manage server.
• Disconnected: The device is disconnected from the Knox Manage
server.
• Unenrolled: Keepalive is not configured.
Collects the ID of the profile applied to the device.

Collect Profile ID If the device has been enrolled, then the ID is automatically collected from
the device’s inventory information without sending the device command.
Device 134
List of device commands: Windows
The available device commands vary depending on device manage type.
Device
Lock Device Locks the device.

Knox Manage
Sends an emergency message to the device.

Push Notification The message icon is shown on the status bar of the device. In the “Push
Notification” window, enter the title and content of the message.

Delete account Deletes the account registered in the Knox Manage Agent.
Device 135
Device Info.
Location.
Sync Device Information To view the updated information after sending the device command,
the “Device Detail” page.
tab.
Managing limited enrollment

You can set only the devices that are registered with their IMEI (International Mobile Equipment
Identity) numbers to be enrolled in Knox Manage.
IMEI numbers can be registered individually or collectively using an XLS file. You can also register Wi-
Fi only devices with their serial numbers instead of IMEI numbers.
To register IMEI numbers individually, complete the following steps:
1. Navigate to Setting > Android > Limited Enrollment.
2. On the “Limited Enrollment” page, click Activate at the bottom of the page.
• You can also activate the Limited Enrollment feature by navigating to Setting > Configuration,
and then setting Limited Enrollment to TRUE.
3. Click Add.
4. In the “Add Device” window, select IMEI/MEID or Serial Number.
Device 136
5. Enter an IMEI/MEID or serial number into the field.
• Enter the serial number of a Wi-Fi only device.

6. Click Save.
To register IMEI numbers collectively, complete the following steps:
1. Navigate to Setting > Android > Limited Enrollment.
2. On the “Limited Enrollment” page, click Activate at the bottom of the page.
• You can also activate the Limited Enrollment feature by navigating to Setting > Configuration,
and then setting Limited Enrollment to TRUE.
3. Click Bulk Add.
4. In the “Bulk Add Devices” window, click Download Template.
5. Enter the IMEI numbers in the downloaded XLS file, and then save it.
• Enter the serial number of a Wi-Fi only device.

6. In the “Bulk Add Devices” window, click , and select the saved XLS file.
7. Click Save.
Checking the locations of the devices

You can check the locations of the selected devices. Only the devices that have the location policy
applied can be tracked.
To check the device locations, complete the following steps:
2. On the “Device” page, click the checkbox for a device to check its location, and then click Check
Location.
3. In the “Check Location” window, search by date and view the location history.
• Click Export to GPX to download a GPX file that includes detailed device location information.
You can use a GPX viewer to open the file.
Device 137
Viewing device logs
View a device log to verify that the device commands sent from the Admin Portal were successfully
received by the device.
To view a device log, complete the following steps:
2. On the “Device” page, click the device to view its log.
3. On the “Device Detail” page, click Command History.
4. View the device command history.
• To download the device logs, click Device Log. In the “Device Log” window, set the log
collection period and download the desired logs by clicking .
• To view in detail the audit events that occurred while completing a device command, click See
Audit Event in the row of the device command.
Device 138

Knox Mobile Enrollment

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Knox Mobile Enrollment

Hochgeladen von

Copyright:

Verfügbare Formate

4

This chapter explains the following topics:

→→ Viewing the device list

Search for devices by device name, IMEI / MEID, user name,

Send the device commands to the selected device on the device

Unenroll the selected devices on the device list. For more

Bulk Add Tags Add bulk device tags using a template.

Export to CSV Download a list of devices as a CSV file.

• See History: View the detailed histories of the device status.

The Security tab shows the device’s detailed security status.

Tab: Device Information

The Device Information tab shows the device’s detailed information.

• Detail: Display additional device information at the bottom of the page.

Application tab Description

• Sync Installed App List: Update the installed application list.

Tab: Group / Organization

The following function buttons are available:

Function button Description

Device Log Download the device logs.

Re-Request Re-request the requested device command on the list.

Function buttons in the footer

The following function buttons are available:

Function button Description

List Return to the device list.

Delete Delete the selected device.

Manage Tag Add new tags to the selected devices.

Enrollment type Method Supported device type

Send a Knox Manage application installation guide

Use Knox Mobile Enrollment (KME) to enroll a large

Use Zero Touch Enrollment (ZTE) to enroll a large

Use Apple’s Device Enrollment Program (DEP) to enroll

Enrolling a single device

Personal area Personal area

Work Profile Corporately Work Profile Corporately

Fully Managed Type Fully Managed Work Profile Type

Enrolling as the Fully Managed type

Method Supported version

Use a token (afw#KnoxManage).

Use a QR code sent via Email.

To enroll using a token, complete the following steps:

To enroll using a QR code, complete the following steps:

Enrolling as the Fully Managed with Work Profile type

Method Supported version

Use a token (afw#KnoxManage).

Use a QR code sent via Email.

To enroll AE devices as Work Profile devices, complete the following steps:

2. On the device, launch the Knox Manage application.

The KME program provides the following advantages:

Register devices to KME

Log in to Knox Manage Assign MDM proﬁles

Logging in to the Knox Mobile Enrollment Portal

4. On the Knox Mobile Enrollment page, click Get Started.

Profile type Targeted device Description

Create this profile for the legacy method of managing

Create this profile for fully managed or dedicated

Creating MDM profiles for Android Legacy devices

1. On the Knox Mobile Enrollment Portal, navigate to MDM Profiles.

3. On the “Select profile type” page, click DEVICE ADMIN.

7. Set the following device settings.

• Enrollment settings: Select the additional enrollment setting options.

Note This option is not currently available on all AT&T devices.

Creating MDM profiles for Android Enterprise devices

1. On the Knox Mobile Enrollment Portal, navigate to MDM Profiles.

3. On the “Select profile type” page, click DEVICE OWNER.