Getting Started with Samsung Knox for Enterprise

What is Samsung Knox?

Samsung Knox is a service made up of a number of solutions such as Knox Mobile Enrollment and Knox Platform for Enterprise. Samsung Knox solutions provide extra security, and configurability and also improve the end-user onboarding experience.

Knox Mobile Enrollment is Samsung’s alternative to Apple Business/School manager for devices. KME offers the ability to upload devices using an app on Samsung devices, or via a vendor/reseller channel.

Once devices are onboarded into Samsung Knox you can assign profiles to those devices to integrate with your chosen MDM provider. Using profiles linked to your MDM will vastly improve your onboarding experience for end-users and also secure the device further.

What do I need to get started?

Do I need a license?

Knox Mobile Enrollment is a free IT solution offered by Samsung and does not require a license key.

-Samsung

As the quote says, no license is required for the KME service. All you need to do is sign up for an account on the Register for Knox page.

  1. Enter your Work email address, then click Next

  2. Click Agree

  3. Complete the information on the Create your Samsung account form, then click Next

    If you try enter a password longer than 15 characters you will be presented with the above message.

  4. Enter the Verification Code sent to the e-mail provided, then click Next

  5. Click Done (Optional, You can at this point choose to configure Multi-factor Authentication, I would recommend doing so, however this is not a requirement.)

  6. Once you have returned to the Registration system, click Next

  7. Enter your Company Information, then click Next

  8. Review each of the agreements, and if you accept them tick each box (excl. marketing information), then click Submit

You will now be taken to the Knox Landing page where you see all of the services that are available through the Knox Platform. As you can see, once you first configure your account the available solutions are set to Pending.

Knox Landing Page

If you click on the Licenses tab on the top ribbon, then click on Knox license keys this will then submit a request automatically for the solutions.

Knox License Registration

At this point, it is a case of awaiting a response from Samsung. The SLA for this is 48hours (Working Days only).

Knox Service Plugin

If you plan to use the Knox Service Plugin on your device estate, you will need to Generate a Commercial Key from the Samsung Knox Portal, you can achieve this by doing the following;

  1. Log into Samsung Knox

  2. Hover over the Knox Platform for Enterprise tile, then click Generate

    Knox PFE License Generation
  3. To obtain the key, hover back over the Knox Platform for Enterprise tile, then click See License

The Knox Platform for Enterprise: Premium Edition license is the one required for the Knox Service Plugin.

Getting started with Knox Mobile Enrollment

  1. Hover over Knox Mobile Enrollment, select Launch Console
  2. Tick Don’t show me again, then click Got It
  3. Select your services, for this post I will be selecting the following;
    1. Knox Service Select
  4. Click Confirm

Knox Mobile Enrollment is now configured, we can now start to take a look at adding devices, creating Profiles and reseller registration.


Manually adding a device

To manually add devices to the Knox Mobile Enrollment solution you will need the Knox Deployment app on two devices. The first device being a device you are logged into the Knox Deployment app as an Admin from the Knox solution, and the second a device you wish to import.

The device where the Admin is going to be signing in cannot already have an account that is not an Administrator within your Knox solution signed in.
If you are, the Knox Deployment app will advise you to log out of your Samsung account and log in with an account which has Knox Deployment permission.

Samsung has a comprehensive guide on using the Knox Deployment app for enrolling devices. (See: Samsung Knox Deployment App)

Reseller Registration

To streamline the process further, you can have your device Resellers import your devices for you. The major benefit of doing this is reducing the time taken by engineers to configure the device ready for enterprise use.

A list of Resellers can be found using the following link: Resellers | Samsung Knox. Configuring a reseller is simple and can be done so by following Register resellers | Knox Mobile Enrollment.

Creating a MDM profile for Intune

One of the biggest benefits of Knox Mobile Enrollment in an enterprise which uses Intune is the ability to assign a device profile to an enrollment token to remove the need to scan QR codes or enter enrollment tokens. Configuring the profile for this is easy, and in the long run, you will thank yourself for doing it.

If you plan to use this for Corporate, Dedicated devices, please note that the Enrollment Token expires after a maximum of 90 days. The enrollment profile within Samsung Knox would need to be updated when the token is renewed.

Obtaining your enrollment token from Intune

  1. Login to Microsoft Endpoint Manager
  2. Select Devices in the left-hand pane, then select Android
  3. Select Android Enrollment
  4. Corporate-owned, fully managed user devices
    1. Click Corporate-owned, fully managed user devices
    2. (If applicable) Switch the slider to Yes
    3. Take a note of the Token above the QR code
  5. Corporate-owned dedicated devices
    1. Click Corporate-owned dedicated devices
    2. Select your desired token
    3. Select Token from the left-hand pane, then click Show token
    4. Take note of the Token above the QR code
  6. Corporate-owned devices with work profile
    1. Click Corporate-owned devices with work profile
    2. Select your desired token
    3. Select Token from the left-hand pane, then click Show token
    4. Take note of the Token above the QR code

Creating your profile in Samsung Knox

  1. Log into Samsung Knox
  2. Hover over Knox Mobile Enrollment, select Launch Console
  3. Click Profiles from the left-hand pane
  4. Click Create Profile in the top right-hand corner
  5. Click Android Enterprise
  6. Enter a Profile Name and Description
  7. In the Pick you MDM drop-down, select Microsoft Intune
  8. Leave the rest as default, click Continue
  9. Enter {"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"<TOKENHERE>"} into the Custom JSON data, field replacing with your Token
  10. (Optional) To remove the default bloatware, select Disable system applications
  11. Enter your Company Name
  12. Click Create

Assigning a profile to a device

  1. Click Devices in the left-hand pane
  2. Locate the Device using the IMEI or Serial Number
  3. Select the device by placing a tick in the selection box, then select Actions
  4. Select Configure Device, then select the relevant profile for the enrollment
  5. Click Save

After you have assigned a profile to the device and it is then powered on, the end-user will be able to self-enroll the device without having to worry about pressing the screen 5 times and then scanning a QR code. This makes it a lot easier to ship a device directly to an end-user.

Conclusion

There are going to be further blogs covering the Knox Service Plugin and other Samsung Knox services, however, I hope this post gives you insight into the benefits this solution can provide along with a nice guide to get you started.

comments powered by Disqus