Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment

This topic helps you set up Intune for enrolling supported Android devices using Samsung Knox Mobile Enrollment (KME). Using Intune with Samsung KME, you can enroll large numbers of company-owned Android devices when end users turn on their devices for the first time and connect to a WiFi or cellular network. Also, devices can be enrolled using Bluetooth or NFC when using the Knox Deployment App.

To enable Intune enrollment using Samsung KME, you use both the Intune and Samsung Knox portals in this order:

  1. In the Knox portal:
    1. Create an MDM profile
    2. Add devices
    3. Assign an MDM profile to the devices
  2. In the Knox portal, configure end user sign in.
  3. Distribute the devices.

A list of device identifiers (serial numbers and IMEIs) are automatically added to the Knox Portal when purchasing devices from authorized resellers participating in the Knox Deployment Program.

Prerequisites

To enroll into Intune using KME, you must first register your company on the Samsung Knox portal by following these steps:

  1. Make sure KME is available in your region: KME is available in over 55 countries. Ensure that your country of deployment is supported.

  2. Supported devices: KME is available on all Samsung devices with a minimum of Knox 2.4 for Android enrollment and a minimum of Knox 2.8 for Android enterprise enrollment.

  3. Network requirements: Make sure that the necessary firewall and network access rules are permitted on your network.

  4. Register for a Samsung account: A Samsung account is needed to register and enable KME and manage all Knox Enterprise entitlements in a single place.

  5. Registration Review: After your profile is completed and submitted, Samsung performs a review of your application and either approves it immediately or puts it in a pending review status for further follow-up. After your account is approved, you can proceed to further steps.

Create MDM profile

When your company is successfully registered, you can create your MDM profile for Microsoft Intune in the Knox portal using the information below. You can create MDM profiles for both Android and Android enterprise in the Knox portal.

For Android Enterprise

MDM Profile Fields Required? Values
MDM Server URI No Leave this blank.
Profile Name Yes Enter a profile name of your choice.
Description No Enter text describing the Profile.
MDM Agent APK Yes https://aka.ms/intune_kme_deviceowner
Enable this app as a Google Device Owner Yes Choose this option to enroll to Android enterprise.
Supported MDM Yes Microsoft Intune
Leave all system apps enabled No Choose this option to ensure all apps are enabled and available to the profile. If this option is not selected, only a very limited set of system apps display in the device's apps tray. Apps such as the Email app remain hidden.
Custom JSON No {"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "Enter Intune enrollment token string"}. Learn how to create an enrollment profile.
Add legal agreements No Leave this blank.

For Android

For step-by-step guidance, see the Samsung Knox Profile Setup Wizard instructions.

MDM Profile Fields Required? Values
MDM Server URI No Leave this blank.
Profile Name Yes Enter a profile name of your choice.
description No Enter text describing the Profile.
MDM Agent APK Yes https://aka.ms/intune_kme
Enable this app as a Google Device Owner No Leave this option unselected for Android. This only applies to Android enterprise.
Skip Setup wizard No Choose this option to skip standard device setup prompts on behalf of the end user.
Allow End User to Cancel Enrollment No Choose this option to allow users to cancel KME.
Custom JSON No Leave this blank.
Add legal agreements No Leave this blank.
Associate a Knox license with this profile No Leave this option unselected. Enrolling to Intune using KME does not require a Knox license.

Add devices

To assign MDM Profiles to devices, supported Samsung Knox devices must be added to the Knox Portal using one of the following methods:

Assign an MDM profile to devices

You must assign an MDM profile to added devices in the Knox Portal before they can be enrolled. Visit the Samsung Knox Enrollment User Guide to learn about device configuration.

Configure how end users sign in

For devices enrolled in Intune using KME for Android, you can configure how an end user signs in as follows:

  • Without user name association: In the Knox Portal under Device details, leave the User ID and Password fields blank for the added devices. This requires the end user to enter both user name and password when enrolling to Intune.

  • With user name association: In the Knox Portal under Device details, provide a User ID (such as a user name for the assigned user or a Device Enrollment Manager account) for the added devices. This prepopulates the user name and requires the end user to enter a password when enrolling to Intune.

Note

User association only applies to Android enrollment. When user association is defined, only the associated user can enroll the device using KME. This is true even after a factory reset of the device. When no user association is defined in the Knox portal, any user with a valid Intune license can enroll the device using KME.

Distribute devices

After creating and assigning an MDM profile, associating a user name, and identifying the devices as corporate-owned in Intune, you can distribute devices to users.

Still need help? Check out the complete Knox Mobile Enrollment User Guide.

Frequently asked questions

  • Device Owner support: Intune supports enrolling devices to only kiosk mode using Android enterprise. Other Android enterprise device owner modes will be supported as they become available in Intune.

  • No work profile support: KME is a corporate device enrollment method and devices enrolled in Android work profile ensure work and personal data are separate on personal devices. So, device enrollment to work profile using KME is not a supported scenario in Intune.

  • Factory reset to enroll to Android enterprise: If repurposing devices that have already been set up, devices need to be factory reset when enrolling to Android enterprise.

  • Updates using Google Play account: Google Play account is not necessary for enrolling the device to Microsoft Intune. But future updates to the Intune Company Portal app may require a Google Play account on the device. Google Play account is not required when enrolling to Google Device Owner.

  • "Password" field is ignored: If the password field is populated in Device details in the Knox Portal, it is ignored by the Intune Company Portal app during Android enrollment. The end user must enter a password on the device to complete device enrollment.

Getting support

Learn more about how to get support for Samsung KME.