Beruflich Dokumente
Kultur Dokumente
Device
Device
Device
Knox Manage supports various device enrollment methods. After successful user authentication and
login to Knox Manage, the devices are automatically enrolled and registered to their user accounts on
Knox Manage. Before enrolling devices, a user account must be created to register enrolled devices
to it. For more information on creating user accounts, see Creating user accounts.
After devices are enrolled and registered to the specific organization and group in the Admin Portal,
you can assign and apply various policies, applications, and content files to the organizations and
groups. You can also control the enrolled devices using the remote support feature and view the
detailed information on each enrolled device.
Device 87
Viewing the device list
Navigate to Device to view all the devices registered in the Knox Manage Admin Portal on the
“Device” page. You can also perform specific functions to the selected devices among the list.
On the device list, the personalized settings of the columns will be saved. The saved settings will be
retained before you delete the web browser’s cookies. You can also return the column settings to
their default settings by clicking Revert Column Settings.
Device 88
No. Name Description
Only devices that have the Report device location policy applied
Check Location can be checked. For more information, see Checking the
locations of the devices.
Remote Remotely control the selected device with the RS Viewer from
Support your computer. For more information, see Remote Support.
Function Manage Tag Add new tags to the selected devices on the device list.
2
buttons Update License Update the license of the selected devices on the device list.
Delete Delete the selected unenrolled devices from the device list.
Revert Column
Resets the column settings to the default settings.
Settings
View brief information for the enrolled devices on the list. You
can add more columns by clicking > Columns, and then
3 Device list clicking the checkboxes for the columns you want to add.
Information of the devices, such as model number, OS version,
and MAC address, can be viewed in the added columns.
Device 89
Viewing the device details
View each device’s details by clicking a device name (or tag) to on the device list. For more
information about the organization of the detail page, see Detail page.
Summary area
The summary area contains the information about the selected device such as device’s status, and
detailed information.
• Detail: View the detailed device’s user information. For more information about the “User Detail”
page, see Viewing the device details.
Tab: Security
• Detail (Knox Manage Agent Policy): View the assigned and applies policies created by Knox
Manage Agent.
Tab: Network
The Network tab shows the device’s detailed network status such as Wi-Fi and SIM information.
Note Wi-Fi Transfer Data and Network Transfer Data do not appear on Android 10 (Q) devices.
Device 90
Tab: Application
The Application tab shows the applications installed, assigned or controlled to the selected device. In
the Application tab, the following tabs are additionally provided.
View the information of the installed applications to the device. The following
function buttons are available:
Controlled Application View the information of the controlled applications to the device.
Tab: Profile
The Profile tab shows the detailed information on the profile and policies assigned to the selected
device.
Tab: Content
The Content tab shows the list of the content files assigned to the selected device.
The Group / Organization tab shows the detailed information on the groups and organizations that
the selected device belongs to.
• Detail (Group): Move to the “Group Detail” page for the selected group. For more information on the
“Group Detail” page, see Viewing the group details.
• Detail (Organization): Move to the “Organization Detail” page for the selected organization. For
more information on the “Organization Detail” page, see Viewing the organization details.
Device 91
Tab: Command History
The Command History tab shows the history of device commands sent to the selected device. You
can also view the detailed information on the audit events for each device command.
• See Audit Event: View in detail the audit events that occurred while completing a device command.
You can perform specific functions to the devices using the function buttons in the footer.
View the audit log details for the selected device. For more information, see Viewing
Audit Log
audit logs.
Remotely control the selected device with the RS Viewer from your computer. For
Remote Support
more information, see Remote Support.
Device 92
Enrolling devices
Enrolling devices
Select one of the following methods depending on the supported device type of the user’s device and
the enrollment types to install the Knox Manage application on user’s devices.
Device 93
Enrolling general devices (Android Legacy, iOS and Windows)
Send a Knox Manage application installation guide to users via email or SMS through the Knox
Manage Admin Portal. Also, users can directly download Knox Manage application from their public
application stores.
Note Before enrolling devices, a user account must be created to register enrolled devices to it. For
more information on creating user accounts, see Creating user accounts.
1. Select one of the following methods to send the Knox Manage application installation guide to
users.
• Sending the Email_Agent Installation template to send QR code via email, allowing users
to install the Knox Manage application on their devices. For more information, see Sending
templates or user notifications to users via email.
• Sending the installation URL address or QR code via email or SMS. For more information, see
Sending enrollment guides to users via email and SMS.
Also, users can directly search for the Knox Manage Agent application from their public app
store and download it.
2. Install Knox Manage application by clicking the URL address or scanning the QR code depending
on the request methods, and then launch the Knox Manage application on the device.
3. On the log in screen, enter a user ID and password to sign in to Knox Manage. If you log in to Knox
Manage successfully, the profiles, policies and applications will be applied to the device.
Note For Android Legacy with Knox Workspace devices running Android 10 (Q) or higher, tap the
enrollment notification on the status bar to install the Knox Workspace manually.
Device 94
Enrolling Android Enterprise (AE) devices
Knox Manage supports the following Android Enterprise (AE) manage types. Each manage type can
be enrolled differently.
• Fully Managed type: Contains only work applications and work data. You can fully control the
whole area of the device.
• Fully Managed with Work Profile type: Contains personal and work applications and data. Users
can install and use personal applications within the personal area. Personal applications cannot be
controlled.
• Work Profile type: Contains personal areas, work applications, and work data. You can only control
the work area of the device.
Device 95
Using a token
Enter the token (afw#KnoxManage) to enroll the Android Enterprise (AE) devices in the Fully
Managed or Fully Manage with Work Profile type. If the token is applied successfully, the Knox
Manage app will be automatically installed on the device.
1. Turn on the factory reset device, and then on the device screen, tap START.
2. On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.
3. On the “Agree to Terms and Conditions” screen, read the terms and conditions, and then tap the
checkbox next to “I have read and agree to all of the above”. Then, tap Agree. The device will
check for updates and the updated will be applied.
4. On the “Sign in” screen, enter “afw#KnoxManage” in the Email or phone field, and then tap Next.
5. On the “Android Enterprise” screen, tap Install to download the Knox Manage application on the
device. The Knox Manage application will be downloaded and launched automatically.
6. On the “Set up your device” screen of the Knox Manage Agent, read the privacy policy of Knox
Manage and Google, and then tap Accept & continue. The Knox Manage application will launch
automatically.
7. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password,
and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device,
the device will be enrolled as the Fully Managed or Fully Managed with Work Profile type.
Device 96
Using a QR code
Use a QR code sent via email to enroll the devices as the Fully Managed or Fully Managed with Work
Profile type. For more information on sending a QR code, see Sending enrollment guides to users via
email and SMS.
1. Turn on the factory reset device, and then, on the welcome screen, tap the screen 5 times to
launch QR code enrollment. The QR Reader app will be downloaded and the device camera will
launch to scan the QR code automatically.
2. Scan the QR code sent by email. The Knox Manage URL and tenant information included in the QR
code will be detected.
3. On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.
4. On the “Agree to Terms and Conditions” screen, read the terms and conditions, and then tap the
checkbox next to “I have read and agree to all of the above.” Then, tap Agree. The Knox Manage
application will launch automatically.
5. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password,
and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device,
the device will be enrolled as the Fully Managed or Fully Managed with Work Profile type.
Note For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to
install the Work Profile manually.
Device 97
Enrolling as the Work Profile type
To enroll the Android Enterprise (AE) devices as the Work Profile type, provide an installation guide to
the users to install the Knox Manage application on the devices. You can send an installation guide
via email or SMS or users can download the Knox Manage application directly from their public app
store.
1. On the device screen, tap the installation URL address sent to users via email or SMS to download
and install the Knox Manage application on the device.
Note You can also search for the Knox Manage application from the Google Play Store to download and
install it on the AE device.
3. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password,
and then tap SIGN IN to sign in to Knox Manage.
Note For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to
install the Work Profile manually.
4. On the “Set up a work profile” screen, read the privacy policy of Knox Manage, and then tap Agree.
The work applications with the briefcase badge icons, which can be managed by Knox Manage,
will appear on the device.
Device 98
Using Knox Mobile Enrollment (Samsung devices only)
Samsung Knox Mobile Enrollment (KME) allows you to quickly and easily enroll a large number of
corporate-owned Samsung devices. The devices are automatically enrolled when users connect to
the internet and log in to Knox Manage. Even if you reset the devices enrolled by the KME program,
the Knox Manage application is re-installed automatically and the devices are re-enrolled in to Knox
Manage.
• Enroll a large number of devices in bulk without having to manually enroll each device.
• Allow the KME devices to automatically install the Knox Manage application when the KME devices
are reset.
To enroll devices using the KME program, the following procedures must be performed.
Note For more information about the KME program, refer to the KME Admin Guide (https://docs.
samsungknox.com/KME-Getting-Started/Content/about-kme.htm).
Device 99
Before using Knox Mobile Enrollment
To use Knox Mobile Enrollment (KME) properly, the followings must be prepared:
• See the list of available countries at the Samsung Knox website and check if the KME program is
available in your country.
• Prepare a device from the following carrier or reseller to use the KME program:
–– A distributor approved by the KME program
–– A dealer sharing IMEI or serial numbers directly with the Samsung representative
• Make sure the devices are Samsung Galaxy devices with Knox 2.4 or higher.
• Sign up for an account in the Samsung Knox Web Portal.
• To install Knox Manage, devices must have more than 50% of their battery charged.
• Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices
are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information
about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.
To log in to the Knox Mobile Enrollment Portal, complete the following steps:
1. Visit the Knox Portal at https://www.samsungknox.com, and click Sign in in the upper right-corner
of the screen.
2. Enter a Samsung account ID and password, and then click SIGN IN.
3. On the main Knox Portal page, navigate to SOLUTIONS > Knox Mobile Enrollment.
5. Enter a work email address and click APPLY FOR FREE. If the application is approved, you will
receive a welcome email with instructions on Knox Mobile Enrollment (KME).
6. On the My Knox solutions page, click LAUNCH CONSOLE on Knox Mobile Enrollment.
Device 100
Creating MDM profiles
Before enrolling devices, create MDM profiles for Android (Legacy) and Android Enterprise through
the Knox Mobile Enrollment Portal.
Knox Manage supports two types of KME enrollments for MDM profiles: Android (Legacy) and
Android Enterprise:
2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.
4. On the “Device Admin profile details” page, enter the following basic information
• Profile Name: Enter an appropriate profile name to distinguish it from others with similar
attributes. Special characters are not permitted.
• Description: Enter a profile description (200 characters maximum) to further differentiate this
profile from others.
• MDM Server URI: Enter the Knox Manage server for the relevant regions as stated in the
following table:
Region Domain
Asia https://ap01.manage.samsungknox.com
US https://us01.manage.samsungknox.com
EU https://eu01.manage.samsungknox.com
Note Once you have created an MDM profile, you cannot change the MDM server URI.
• Server URI is not required for my MDM: Select this option if you either do not need to point to
the MDM’s enterprise installation or are unable due to connection restraints.
Device 101
5. Click CONTINUE.
6. On the “Device Admin profile settings” page, set the following MDM configuration settings.
• MDM Agent APK: Click ADD MDM APPS and enter the Knox Manage APK link information
stated in the following table, and then click SAVE. The application will be automatically installed
on the device when it connects to the internet.
Region Domain
Asia http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk
US http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk
EU http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk
• Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId
and TenantType in the java script object notation (JSON) format, as in {”TenantId”:”YOUR_
TENANT”, ”TenantType”:”M”}.TenantId refers to the name of your Knox Manage
company account. It occurs after @ in your Knox Manage Username. For example, your
JSON data entry may be used as follows: {”TenantId”:”knoxteam.samsung.com”,
”TenantType”:”M”}. For more information about JSON and related technology, go to http://
json.org.
–– Skip Setup Wizard: Skips the setup wizard screen and allows you to start the enrollment
process much faster.
–– Allow the end user to cancel enrollment: Permits end-users to cancel enrollment on their
devices.
• Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the
specific privacy policy text displayed to device users based on their geographic region.
• ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.
• Support contact details: View the support contact details.
Device 102
• EDIT: Update the company name, company address, support phone number, and support email
address displayed on the devices after successful enrollment. If required, click Save as default
support contact details to use this same information as the default contact information.
Note If the device owner (DO) support is enabled for the profile, then only the client name is editable,
and the remaining fields are inactive.
• Associate a Knox license with this profile: Pass the Knox license key directly to the intended
device for easier Knox profile configuration.
8. Click CREATE to create the device admin supported profile configuration for Android (Legacy). To
view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.
2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.
4. On the “Device Owner profile details” page, enter the following basic information for the device
owner profile.
• Profile Name: Enter an appropriate profile name to distinguish it from others with similar
attributes. Special characters are not permitted.
• Description: Enter a profile description (200 characters maximum) to further differentiate this
profile from others.
5. Enter the following MDM information for the device owner profile.
• Pick your MDM: Select the specific Knox Manage MDM profile assigned the device owner
privilege.
• MDM Agent APK: Enter the Knox Manage APK link information stated in the following table.
The application will be automatically installed on the device when it is connected to the
internet.
Region Domain
Asia http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk
US http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk
EU http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk
Device 103
• MDM Server URI: enter the Knox Manage server for the applicable region as stated in the
following table:
Region Domain
Asia https://ap01.manage.samsungknox.com
US https://us01.manage.samsungknox.com
EU https://eu01.manage.samsungknox.com
Note Once you have created a MDM profile, you cannot change the MDM server URI.
6. Click CONTINUE.
7. On the “Device Owner profile settings” page, set the following MDM configuration settings.
• Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId
and TenantType in the java script object notation (JSON) format, as in {”TenantId”:”YOUR_
TENANT”, ”TenantType”:”M”}.TenantId refers to the name of your Knox Manage
company account. It occurs after @ in your Knox Manage Username. For example, your
JSON data entry may be used as follows: {”TenantId”:”knoxteam.samsung.com”,
”TenantType”:”M”}. For more information about JSON and related technology, go to http://
json.org.
• Dual DAR: Secures the KME enrollment data with two layers of encryption, even when the
device is powered off or in an unauthenticated state.
Note The Dual DAR function is only supported on devices running Knox version 3.4 or higher.
–– Enable Dual DAR: Enable the Dual DAR function. If the Dual DAR function is enabled, click the
checkbox next to Use3rd party crypto app and click ADD PACKAGE NAME AND SIGNATURE
to enter the package name and signature for using the 3rd part crypto app.
• Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the
specific privacy policy text displayed to devices users based on their geographic region.
–– ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.
• Company name: Enter the MDM organization name displayed at the time of device enrollment.
Device 104
9. Click CREATE to create a device owner supported profile configuration for Android Enterprise. To
view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.
2. On the profile list, click the checkbox next to the profile name to modify its information.
Note Once you have created an MDM profile, you cannot change the MDM server URI.
• Knox Reseller Portal: For devices purchased from approved Samsung resellers
• Samsung Knox Deployment App (NFC tagging): For devices purchased from third-party resellers,
or for the purpose of testing
After the devices are registered successfully, on the Knox Mobile Enrollment Portal, navigate
to Devices > UPLOADS to view the registered device information with the reseller’s information
including the registration date and the number of devices, IMEI information, and applied profiles.
Note The user information must be registered in the Knox Mobile Enrollment Portal to register the
devices. For more information on how to add device users, see Adding new device users.
Device 105
1. Download the “Samsung Knox Deployment” app from the Google Play Store on your device and
install it.
3. On the login screen, enter your Knox Mobile Enrollment Portal user ID and password, and then tap
SIGN IN.
Note The NFC mode on your device must be turned on for NFC tagging.
7. Tag the user device to your device. To view the information of the registered devices on the Knox
Mobile Enrollment Portal, navigate to Devices > UPLOADS.
Individual Assignment
To assign MDM profiles and user credential to a registered device individually, complete the following
steps:
2. At the top of the “Devices” page, click the ALL DEVICES tab.
3. On the device list, click the checkboxes next to IMEI information to assign an MDM profile and
user credential to them. Alternately, you can also click the checkboxes next to IMEI information,
and then click ACTIONS > Configure devices.
Note The device windows appear differently depending on how many devices on the list you select.
Device 106
4. On the “Device Details” or “Configure selected devices” window, enter the following device
information.
• “Configure selected devices” window (When configuring two or more selected devices)
–– Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-
down list to assign to the selected device.
–– Add tags to selected devices: Enter a tag to use when searching for specific devices. Click
the checkbox next to Overwrite existing tags if you want to use the newly entered tag to
overwrite existing tags.
–– User credentials: Select one of the following options for the user credentials of devices from
the drop-down list.
–– Keep current credentials: Maintain the existing user credential information for the selected
devices.
–– Clear user credentials: Remove the existing user credential information for the selected
devices.
–– Overwrite user credentials: Modify the user ID and password.
5. Click SAVE to save the modified device details. The device status changes to Profile assigned. To
update the device status, click Refresh.
Bulk Assignment
You can assign the MDM profiles and user credentials for up to 10,000 registered devices at once.
To assign MDM profiles and user credential to a registered device individually, complete the following
steps:
2. On the “Devices” page, click ALL DEVICES > ACTIONS > Download devices as CSV at the bottom
of the page to download the kme_devices.csv file.
3. Open the downloaded CSV file and enter the information in the columns of the Excel file, and then
save the file as a .csv file.
4. At the left bottom of the Knox Mobile Enrollment Portal, click BULK CONFIGURE.
5. On the “Bulk actions” page, read the instructions to ensure the CSV file is completely filled out, and
then click View instructions.
6. On the “Bulk configure” page, click BROWSE, and then select the saved .csv file.
Device 107
7. In the “(Optional) Configure profiles and tags” area, enter the following information.
• Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-
down list to assign it to the selected devices.
• Tags: Enter a tag to use when searching for specific devices. Click the checkbox next to
Overwrite existing tags if you want to use the newly entered tag to overwrite existing tags.
8. Click SUBMIT. To view the bulk-added information, navigate to Devices > ALL DEVICES.
2. On the “Device Users” page, click ADD DEVICE USERS to add a new device user.
3. On the “Add device user” window, enter a user ID and password to create unique KME device user
credentials.
Note The user ID and password should both be the credentials of the Knox Manage.
3. On the device list, click the checkboxes next to the IMEI information to delete the registered
device, click ACTIONS > Delete devices.
4. In the “Delete device user?” window, click DELETE. The selected devices will be deleted from the
KME Portal.
Note Once a device is deleted from the KME Portal, the device is permanently removed from the
system.
Device 108
Using Zero Touch Enrollment (Android Enterprise devices only)
Zero Touch Enrollment (ZTE) allows you to quickly and easily enroll a large number of corporate-
owned Android Enterprise devices for non-Samsung devices. Once the devices are registered to
the ZTE Portal, the devices are automatically enrolled when users connect to the Internet and log
in to Knox Manage. Even if you reset the devices enrolled by ZTE, the Knox Manage application is
reinstalled automatically and the devices are re-enrolled in to Knox Manage.
• Enrolls a large number of devices in bulk without having to manually enroll each device.
• Allows the ZTE devices to automatically install the Knox Manage application when the ZTE devices
are reset.
• Prevents unauthorized devices from joining your EMM environment to enhance your security.
• Allows resellers to add devices to the ZTE Portal.
Log in to
Create Knox
the Zero Touch Enrollment
Manage configurations
Portal.
• Make sure that the devices are compatible with ZTE from the list of Android Zero Touch Devices at
https://androidenterprisepartners.withgoogle.com/devices/#!#Zero-touch.
Device 109
• Make sure the devices are running on Android Oreo (8.0 and later) or a Pixel phone with Android
Nougat (7.0).
• Sign up for a Google account associated with the corporate email. A personal Gmail account
cannot be used. To create a Google account for the corporate, visit the Google website at https://
accounts.google.com/signup/v2/webcreateaccount?flowName=GlifWebSignIn&flowEntry=SignUp
&nogm=true.
• Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices
are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information
about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.
2. Enter your Google account information and then click NEXT to log in to the ZTE Portal. Once you
have logged in to the ZTE Portal, the following navigation pages are provided on the ZTE Portal.
• Users: Add, modify, or delete the users who can access and manage the portal.
• Resellers: Add resellers to share your account with multiple resellers.
Device 110
{
“android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED”:true,
“android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE”: {
“ServerUrl”: “Your Server Url”,
“TenantId”: “Your Knox Manage Tenant ID”,
“TenantType”: “M”,
“Method”: “ZeroTouch”
}
}
Note Enter the server URL of the DPC extras for the applicable region as stated in the following table:
Region Domain
Asia https://ap01.manage.samsungknox.com/emm
US https://us01.manage.samsungknox.com/emm
EU https://eu01.manage.samsungknox.com/emm
• Company Name: Enter the name of your organization. It will be displayed on the user’s device
during enrollment.
• Support email address: Enter a corporate IT admin email address. It will be displayed on the
user’s device during enrollment, and it can be used to contact the IT admin in case of any
enrollment issues.
• Support phone number: Enter a corporate IT support phone number. It will be displayed on
the user’s device during enrollment, and it can be used to contact the IT admin in case of any
enrollment issues.
• Custom message: Enter an optional message to be displayed on the device screen during
enrollment.
Device 111
Assigning Knox Manage configurations to ZTE devices
Once Zero touch reseller partners have registered devices in the Zero Touch Enrollment (ZTE) Portal,
assign the newly created Knox Manage configurations to the devices. You can assign them to the
registered devices either individually or in bulk using a CSV file.
Individual Assignment
To assign a Knox Manage configuration to a device individually, complete the following steps:
2. On the “Devices” page, select the devices to which configurations are to be applied to on the
device list, and then, under Configuration, against the selected devices, the Knox Manage
configuration which you have created previously.
Bulk Assignment
To assign Knox Manage configurations to multiple devices at once using a CSV file, complete the
following steps:
2. On the “Devices” page, click > Download results as .csv to download the CSV file, and then
enter the device information in the CSV file.
• Open the CSV file and fill out the following fields in the file.
3. On the “Devices” page, click > Upload batch configurations, and then select the saved .csv
file to upload it. All the devices in the CSV file will be assigned to the specific Knox Manage
configuration.
Device 112
Logging in to Knox Manage for enrollment
After the Knox Manage configuration is assigned to ZTE devices, log in to Knox Manage to enroll the
devices.
1. Turn on the factory-reset device, and then tap Start on the Zero Touch Device Enrollment screen.
2. On the “Connect to mobile network” screen, insert a sim card or tap Skip.
3. On the “Connect to mobile network” screen, tap an available Wi-Fi network to connect to a
network. The device will check for updates.
4. On the “Set up your device” screen, read the privacy policy of Knox Manage and Google, and then
tap Accept & continue. The device will get account information for Knox Manage.
5. On the “Google Services” screen, tap Accept. The Knox Manage application will be installed and
launched automatically on the device.
6. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password,
and then tap SIGN IN to sign in to Knox Manage.
7. On the Knox Manage terms and agreements screen, read the terms of use, privacy policy, and end-
user license agreement, tap the checkbox next to Agree all, and then tap NEXT.
8. On the “Display over other apps” page, if required, tap All display over other. The device will be
registered and enrolled in the Knox Manage Admin Portal.
Deleting ZTE devices from the Zero Touch Enrollment (ZTE) Portal
You can delete devices from the ZTE Portal if you are required to transfer ownership. You can delete
one device at a time by selecting devices in the ZTE Portal.
To delete devices from the ZTE Portal, complete the following steps:
Note After you delete a device, you need to contact your reseller if you want to register the device in the
ZTE Portal again. Consider removing the Knox Manage configuration, if you want to temporarily
exclude a device from the ZTE Portal.
2. On the “Devices” page, select the device you want to remove, and then click DEREGISTER.
3. In the “Deregister device?” window, click DEREGISTER to delete the devices from the ZTE Portal.
Device 113
Using the Apple Device Enrollment Program (iOS devices only)
The Apple Device Enrollment Program (DEP) allows you to quickly and easily enroll a large number of
organization-owned Apple devices. The devices are automatically enrolled when users connect to the
internet and log in to Knox Manage. Even if you reset the devices enrolled by DEP, the Knox Manage
application is re-installed automatically and the devices are re-enrolled in to Knox Manage.
• Prevent end-users from deleting the MDM profiles installed on the devices.
• Provision devices in Supervised mode (iOS only). If the devices are in Supervised mode, you can
access additional security and configuration settings.
• Prevent iCloud backup by disabling users from signing in with their Apple ID when generating a
DEP profile.
Note For more information about the Apple Device Enrollment Program (DEP), visit the Apple website at
https://www.apple.com/business/docs/site/DEP_Guide.pdf.
Device 114
Before using the Apple Device Enrollment Program
To use the Apple Device Enrollment Program (DEP) properly, the followings must be prepared:
To issue a DEP token and set up DEP, complete the following steps:
1. Navigate to Setting > iOS > DEP Server Setting. If you have issued a DEP token before, the
previously issued DEP token’s information and its expiration date are displayed.
2. On the “DEP Server Setting” page, click Public Key Download to download a public key in the .pem
format required to create a new MDM server in the Apple DEP Portal.
3. Visit the Apple DEP Portal at https://business.apple.com, and then enter your Apple ID and
password to log in.
4. On the Apple DEP Portal of the “Device Enrollment Program” page, click Get Started.
5. On the Apple DEP Portal, navigate to Device Enrollment Program > Manage Servers, and then,
click Add MDM Server.
6. On the ”Add MDM Server” window, enter an MDM server name to refer to the server, department or
location and then click Next.
• Automatically Assign New Devices: Allow any new devices enrolled to the DEP account to
automatically be assigned.
7. Click Choose File to select the public key downloaded from the Knox Manage Admin Portal, and
then click Next to upload the public key.
8. Click Your Server Token to download the Apple token file in a .p7m format, and then click Done.
If the MDM server is successfully added to the Apple DEP Portal, you can view the MDM server
information on the Manage Server list.
Note Using a single token to enroll the DEP devices for one company is recommended.
Device 115
9. On the “DEP Server Setting” page of the Knox Manage Admin Portal, click Browse, and then select
the DEP token file in the .p7m format issued by Apple.
10. Click Upload. If the DEP token file is uploaded successfully, the authentication processes
between the Knox Manage server and the Apple’s DEP server is completed.
11. Click Set Default Profile to set up a profile to be assigned to the DEP devices by default, and then
click OK.
Note For more information on setting a general profile, see Setting DEP profiles.
12. Enter the sync interval time in hours to set the sync interval of the DEP devices, and then click
Setting.
To register iOS devices in the Apple DEP Portal, complete the following steps:
1. Visit the Apple DEP Portal at https://business.apple.com, and then enter your Apple ID and
password to log in.
2. On the Apple DEP Portal, navigate to Device Enrollment Program > Manage Devices to assign iOS
devices to the MDM server you have already created.
3. Select the method for registering iOS devices from Choose Devices By:
• Assign Device by Serial Number: Enter a list of device serial numbers to register the iOS device.
• Assign Devices by Order Number: Enter the Apple Purchase Order number so that the devices
are added automatically.
• Upload a .csv File: Upload a .csv file that includes the serial numbers.
4. Select Assign to Server as Action, and then select the MDM server group.
5. Click OK. If the iOS devices are registered successfully in the Apple DEP, navigate to Device
Enrollment Program > Manage Servers > View Assignment History to view the registered device
information and its assignment history.
Device 116
Setting DEP profiles
After the iOS devices are registered to the Apple Device Enrollment Program (DEP) Portal, you must
set the DEP profile to be assigned to the devices through the Knox Manage Admin Portal.
The DEP profile is applied to the DEP devices when the DEP devices are enrolled.
2. On the “DEP Device Management” page, click Set Default DEP Profile.
3. On the “Set DEP profile” window, set the following items in the DEP profile:
• Supervised Mode: Click the checkbox next to Apply to enable the supervised mode that is only
available on iOS devices and must be applied to the DEP devices.
–– Delete MDM profile: Click the checkbox next to Allow to allow users to delete the MDM
profile.
–– Supervising host certificate list: Click Add to add the registered certificate to the Apple
device you want to pair with the DEP devices.
• Pairing: Click to allow other Apple devices to pair with the DEP devices.
• Skip Settings: Select the items that appear during the device setup process after users turn on
their DEP devices for the first time. If the items are checked, they do not appear on the window.
2. On the “DEP Device Management” page, click the serial number of the desired DEP device on the
list to view its details.
3. In the “Device Detail” window, view the selected DEP device information.
Device 117
Synchronizing with the DEP server
To synchronize with the DEP server and the Apple DEP Portal to update the DEP device list in the
Knox Manage Portal, complete the following steps:
2. On the “DEP Device Management” page, click to synchronize with the DEP server.
3. On the “DEP device sync” window, click OK. The DEP device list in the Knox Manage Portal will be
updated.
Note If the server token has expired, you can no longer update the DEP device list.
2. On the “DEP Device Management” page, click the checkboxes next to the DEP devices on the DEP
device list, and then click to modify the DEP profile.
3. On the “Set DEP profile” window, modify the desired DEP profile items, and then click Save to save
the set DEP profile and return to the “DEP Device Management” page. For more information on
setting the DEP profiles, see Setting DEP profiles.
4. Click to synchronize with the DEP server to update the DEP device list. The modified DEP
profile will be assigned to the DEP devices.
Device 118
Unenrolling DEP devices
If you want to use DEP devices as general iOS devices or if the DEP devices are no longer required,
you can unenroll the DEP devices in the Apple Device Enrollment Program (DEP) Portal.
1. Visit the Apple DEP Portal at https://business.apple.com, and then enter your Apple ID and
password to log in.
2. On the Apple DEP Portal of the “Device Enrollment Program” page, click Get Started.
3. On the Apple DEP Portal, navigate to Device Enrollment Program > Manage Servers.
4. On the “Server Details” page, click an MDM server to disable and delete it, and then click Delete
Server.
5. In the “Are you sure you want to delete this server?” window, click Delete. All the DEP devices on
this server will be deleted.
Note To delete the MDM server and relocate the DEP devices on this server, select Reassign Devices
from the drop-down list. Then, select a different MDM server where you want to relocate the MDM
devices to and click Delete.
6. On the Knox Manage Portal, Navigate to Setting > iOS > DEP Device Management.
7. On the “DEP Device Management” page, click to synchronize with the DEP server.
8. In the “DEP device sync” window, click OK. The DEP device list in the Knox Manage Portal will be
updated according to the DEP server, and the DEP devices on the DEP server in the Knox Manage
Portal will be deleted.
Device 119
Managing devices
Managing devices
You can change the device’s status or send device commands to manage the devices registered in
Knox Manage.
Unenrolling devices
You can unenroll the devices registered in the Knox Manage server. The methods for unenrollment
differ depending on the device type.
To delete the Work Profile from Android Enterprise devices or delete Knox Manage from Fully
managed devices, send the Unenroll service command to devices.
Note When you unenroll Fully Managed or the Fully Managed with Work Profile devices, the devices will
be factory reset and the microSD cards of the devices with Android 7.0 (Nougat) - 8.0 (Oreo) can
be wiped. Please be cautious of potential data loss.
To simply change a logged in user’s details, send the Delete account command, and then allow the
user to log in again.
1. Navigate to Device.
2. On the “Device” page, click a checkbox for a device you want to unenroll.
3. Click Unenroll.
Device 120
Unenrolling disconnected devices
When a device is unable to communicate with the server, you can send an offline unenrollment code
to the device. Then, the user can change the device’s status manually and unenroll the device.
1. Navigate to Device.
2. On the “Device” page, click a checkbox for a device you want to unenroll.
3. Click Unenroll.
• When the user enters the received offline unenrollment code, the device will become
unenrolled, corresponding to its status on the server.
Note You can choose to delete the internal applications installed on Android devices and all of the
applications installed on devices with iOS 9.0 or above upon unenrollment.
To set automatic deletion, navigate to Setting > Configuration, and then set Delete App upon
Unenrollment under Category : MDM to TRUE.
To allow the user to uninstall the agent, complete the following steps:
2. On the “Knox Manage Agent Policy” page, click the ”Default” tab.
Device 121
Sending device commands to devices
You can send device commands to enrolled devices by user, organization, group, or device and
control them remotely. For devices with Knox Workspace or Work Profile, you can select the tab
of the area on the top you want to send a device command to. Available device commands vary
depending on the device type. For more information on each device command, see the list of device
commands.
Note In general, device commands take a higher priority than profile policies. However, policies take
a higher priority than the following device commands: Install, Run, Uninstall, Locate the current
position, and Reset SD Card. For more information, see the list of device commands.
1. Navigate to Device.
2. On the “Device” page, click the checkbox next to the device name to send a device command to,
and then click Device Command.
• For devices that have a Knox Workspace, click the target area between General and KNOX -
LightWeight Knox.
• For Fully Managed with Work Profile devices, click a target area between Fully Managed Device
and Work Profile.
Note If no device command has been sent within the past six hours of restarting the device, then Knox
Manage Agent requests the server for a device command and can have it resent to the device.
Device 122
To check the device commands in request and resend or delete them individually or altogether,
complete the following steps:
2. Enter a request date, and user ID or mobile ID, and then click Search.
3. View the information of the device commands that have been found.
• To resend the device commands in request, click the checkboxes of the device commands to
resend, and then click Re-Request.
• To delete the device commands in request, click the checkboxes of the device commands to
delete, and then click Cancel Request.
Note To set the Knox Manage server to resend the device commands in request automatically, navigate
to Setting > Configuration, and then set the number next to Daily retries for device commands in
request.
1. Navigate to Device.
4. Click a command name to view the audit result of the device command.
Note To view the device command logs by each platform, navigate to Service Overview > History >
Group Command History, enter a request date and a group ID or organization name, click Search,
and then click a group or organization name.
Device 123
List of device commands: Android Enterprise
The available device commands vary depending on the Android Enterprise manage types. For Fully
Managed with Work Profile devices, you can select either Fully Managed or Work Profile to send
device commands to.
Device
Sends the latest profile and application information to the device and
Apply Latest Profiles
controls the device with the profile and information.
Locks a device. You can enter a reason for locking the device and a phone
number to contact when the device is lost. The entered information
appears on the locked device screen.
Lock Device
Note For non-Samsung Android devices, this policy supports only
the devices with Android 8.0 (Oreo) and lower.
Unlocks a device.
Unlock Device Note For non-Samsung Android devices, this policy supports only
the devices with Android 8.0 (Oreo) and lower.
• Initialize SD Card when factory reset: Click the checkbox to initialize the
SD card during a factory reset.
Factory Reset
• Deactivate Factory Reset Protection: This only appears when the profile
is applied with the Factory Reset Protection policy or when you send a
device command to multiple devices. Click the checkbox to perform a
factory reset without the Factory Reset Protection policy.
Power Off Device Note Only Samsung Galaxy devices are supported except the
devices with Android 10 (Q).
Device 124
Device command Description
Resets the number of call(s) and number of missed call(s) among Android
device’s inventory information,
Reset Number of Calls
• Number of call(s)
• Number of missed call(s)
Deletes certificates installed by Knox Manage. You can select a certificate
Delete a CA Certificate
to delete.
Application
Device 125
Device command Description
Apply Latest internal App Sends the latest internal application information and updates the device
Information according to the information.
Knox Manage
Update License Updates the license of a selected device on the device list.
Updates the Knox Manage Agent on the device for a new patch or version.
Update Knox Manage The agent information registered in the Knox Manage server is sent to a
device. The device automatically selects the appropriate agent to request
installation files from the server.
Updates the device user information such as the user activation status/
username/user settings (Secure Browser website URL information,
Update User Information bookmark information) and license information.
If the user is logged out from the enrolled device, you can send this device
command to enable the user to log in to Knox Manage automatically.
Delete Account Deletes the account registered in the Knox Manage Agent.
Collects the Knox Manage audit logs of the device. When the log size
Collect Audit Log exceeds the maximum size, logs are automatically sent to the server, but
the log file may be lost. For more detailed information, see Viewing audits.
Device 126
Device command Description
Collect Diagnosis
Collects a device log to diagnose the cause of device lock,
Information
Device Info.
Collect current location To view the location of a device after sending a device command,
navigate to Device, click the checkbox for the device, and then click Check
Location.
Sync Device Information To view the updated information after sending the device command,
navigate to Device, click a device name or tag, and view the information on
the “Device Detail” page.
Sync Installed App List To view the list of installed applications after sending a device command,
navigate to Device, click a device name or tag, and click the “Application”
tab.
Device
Sends the latest profile and application information to the device and
Apply Latest Profiles
controls the device with the profile and information.
Device 127
Device command Description
Locks a device. You can enter a reason for locking the device and a phone
number to contact when the device is lost. The entered information
appears on the locked device screen.
Lock Device
Note • For non-Samsung Android devices, Android 8.0 (Oreo) and
lower are only supported.
• Android 10 (Q) devices are not supported.
Unlocks a device.
Unlock Device
Note • For non-Samsung Android devices, Android 8.0 (Oreo) and
lower are only supported.
• Android 10 (Q) devices are not supported.
Factory Reset Performs factory reset and changes the device status to Unenrolled.
Device 128
Device command Description
Resets the number of call(s) and number of missed call(s) among Android
device’s inventory information.
Reset Number of Calls
• Number of call(s)
• Number of missed call(s)
Application
Apply Latest internal App Sends the latest internal application information and updates the device
Information according to the information.
Device 129
Knox Manage
Update License Updates the license of a selected device on the device list.
Updates the Knox Manage Agent on the device for a new patch or version.
Update Knox Manage The agent information registered in the Knox Manage server is sent to a
device. The device automatically selects the appropriate agent to request
installation files from the server.
Updates the device user information such as the user activation status/
username/user settings (Secure Browser website URL information,
Update User Information bookmark information) and license information.
If the user is logged out from the enrolled device, you can send this device
command to enable the user to log in to Knox Manage automatically.
Delete Account Deletes the account registered in the Knox Manage Agent.
Collects the Knox Manage audit logs of the device. When the log size
Collect Audit Log exceeds the maximum size, logs are automatically sent to the server, but
the log file may be lost. For more detailed information, see Viewing audits.
Collect Diagnosis
Collects a device log to diagnose the cause of device lock,
Information
Device 130
Device Info.
Collect current location To view the location of a device after sending a device command,
navigate to Device, click the checkbox for the device, and then click Check
Location.
Sync Installed App List To view the list of installed applications after sending a device command,
navigate to Device, click a device name or tag, and click the “Application”
tab.
Container
Only the Workspace area of Knox Workspace is supported.
Locks the Knox Workspace. Users cannot access the Knox Workspace
Lock Knox Workspace
unless you unlock it by sending this command.
Resets the Knox Workspace password. When the user forgets the Knox
Workspace password, this command is sent to reset the password.
Device 131
Device command Description
Device
Sends the latest profile and application information to the device and
Apply Latest Profiles
controls the device with the profile and information.
Lock Device Blocks some functions of the device without locking the device.
Factory Reset Performs factory reset and changes the device status to Unenrolled.
Device 132
Application
Apply Latest internal App Sends the latest internal application information and updates the device
Information according to the information.
Knox Manage
Updates the device user information such as the user activation status/
username/user settings (Secure Browser website URL information,
Update User Information bookmark information) and license information.
If the user is logged out from the enrolled device, you can send this device
command to enable the user to log in to Knox Manage automatically.
Delete Account Deletes the account registered in the Knox Manage Agent.
Collects the Knox Manage audit logs of the device. When the log size
Collect Audit Log exceeds the maximum size, logs are automatically sent to the server, but
the log file may be lost. For more detailed information, see Viewing audits.
Device 133
Device command Description
Collect Diagnosis
Collects a device log to diagnose the cause of device lock,
Information
Sync App Auto-removal Syncs the application auto-deletion property when managed applications
Property (When service is are deactivated if the value of Delete app during Unenrollment process
deactivated) has changed in the server configuration.
Device Info.
Collect current location To view the location of a device after sending a device command,
navigate to Device, click the checkbox for the device, and then click Check
Location.
Device 134
List of device commands: Windows
The available device commands vary depending on device manage type.
Device
Factory Reset Performs factory reset and changes the device status to Unenrolled.
Knox Manage
Updates the device user information such as the user activation status/
username/user settings (Secure Browser website URL information,
Update User Information bookmark information) and license information.
If the user is logged out from the enrolled device, you can send this device
command to enable the user to log in to Knox Manage automatically.
Delete account Deletes the account registered in the Knox Manage Agent.
Device 135
Device Info.
Collect current location To view the location of a device after sending a device command,
navigate to Device, click the checkbox for the device, and then click Check
Location.
Sync Device Information To view the updated information after sending the device command,
navigate to Device, click a device name or tag, and view the information on
the “Device Detail” page.
Sync Installed App List To view the list of installed applications after sending a device command,
navigate to Device, click a device name or tag, and click the “Application”
tab.
IMEI numbers can be registered individually or collectively using an XLS file. You can also register Wi-
Fi only devices with their serial numbers instead of IMEI numbers.
2. On the “Limited Enrollment” page, click Activate at the bottom of the page.
• You can also activate the Limited Enrollment feature by navigating to Setting > Configuration,
and then setting Limited Enrollment to TRUE.
3. Click Add.
Device 136
5. Enter an IMEI/MEID or serial number into the field.
2. On the “Limited Enrollment” page, click Activate at the bottom of the page.
• You can also activate the Limited Enrollment feature by navigating to Setting > Configuration,
and then setting Limited Enrollment to TRUE.
5. Enter the IMEI numbers in the downloaded XLS file, and then save it.
7. Click Save.
1. Navigate to Device.
2. On the “Device” page, click the checkbox for a device to check its location, and then click Check
Location.
3. In the “Check Location” window, search by date and view the location history.
• Click Export to GPX to download a GPX file that includes detailed device location information.
You can use a GPX viewer to open the file.
Device 137
Viewing device logs
View a device log to verify that the device commands sent from the Admin Portal were successfully
received by the device.
1. Navigate to Device.
• To download the device logs, click Device Log. In the “Device Log” window, set the log
collection period and download the desired logs by clicking .
• To view in detail the audit events that occurred while completing a device command, click See
Audit Event in the row of the device command.
Device 138