Tuesday 7 August 2018

Samsung Knox Mobile Enrolment (KME)

If you are in an organisation with Intune and you are wanting an easy way of bulk enrolling Samsung devices then you should know that at the time of writing the only way of doing this is via KME. Samsung is not one of the supported OEM partners for Android Zero-Touch Enrolment, it would appear that, like with the "unification" of the Android Enterprise Work Profile and the Samsung Knox Workspace, Samsung have gone it alone. Interesting. See one of my previous blog posts here to understand more about the challenges I have experienced with the latter.

I will also point out that disappointingly, only the legacy (Device Admin) Android enrolment method is supported at this time in Intune, however it was announced on the release of KME that Android Enterprise support was to follow.

Anyhow I thought I would test KME as in our current organisation we have decided to standardise on Samsung devices.

Some prerequisites;
  • Samsung devices must have Knox 2.4 or newer
  • You will need to register for a Samsung account, log in and then submit an application for KME, which will need to be approved.
  • You must purchase your devices through a Samsung authorised reseller and register them in your KME portal so that your devices can be uploaded when purchased. Note that you are able to upload devices using the Knox Deployment App, however the process for doing this is probably not feasible for large numbers of devices
Log in to the KME Portal, select MDM Profiles > Add




Select "Server URI not required for my MDM" then "Next"




Enter a suitable name for the profile then select "Add MDM Applications"


Enter the following URL. Select "Save"


The remaining options are not mandatory and the defaults are fine so save the changes



At this stage we need to add devices to the portal and as mentioned to do this you need to download and install the Knox Deployment App from the Google Play Store on a master device. Login to the app with your Samsung account credentials




Take the device you wish to add to the portal, connect it to a wifi network and then skip through the rest of the start up wizard until you are at the home screen



On the master device, select a profile and mode, in this example I am using NFC to enrol. Select "Start Deployment"



Gently tap another device to the back of the master device, when you hear a tone, tap the screen



On the device to be uploaded you will see a prompt to update the Knox Enrolment Service, select "Update"


"Next"



The device will now enrol in KME and automatically download the Intune Company Portal.


The device will now appear in the KME portal. At this point it should now be factory reset to provide the improved enrolment experience when the device is next powered on.



As you can see this is less than ideal for a large number of devices and is probably recommended wherever possible to have you devices purchased through an authorised reseller and they will upload them to the portal for you.

So now the experience is as follows;

Start the wizard, connect to Wi-Fi then accept the terms and conditions


The KME welcome screen is then presented and you can proceed with enrolment.



Remember - KME  does not support Android Enterprise at the moment and it would appear that there is nothing to stop you attempting to enrol a device.

Thanks for taking the time to read this and happy to take any comments!