Samsung Knox Mobile Enrollment with Intune

Buy Me a Coffee

Using Samsung Knox Mobile Enrollment you can automatically enroll devices (Samsung only) into Intune. New Samsung devices which are bought at a participating reseller, can be automatically enrolled in your Knox tenant. With Auto assignment configured a profile will be assigned to the new devices and will be ready for use. This way devices can be send directly to the end user without touch.

If you already have unenrolled Samsung devices in use, these can manually enrolled into your Knox tenant. Once enrolled a MDM profile can be assigned in Knox and after a Factory reset the device can be send to the end user.

Advantages of using Knox Mobile Enrollment with Intune:

  • Automatic installation and configuration. Users do not need to manually enroll devices in Intune.
  • Bulk enroll new devices when purchased from a Knox participating reseller.
  • Devices cannot be unenrolled by the end user. The device will be automatically re-enrolled after a factory reset.

Prerequisites

  • A configured Corporate-owned Android enrollment profile in Intune. (dedicated, fully managed or corporate with work profile)
  • A free Samsung Knox Mobile Enrollment subscription.
  • Samsung devices running Knox version 2.4 or higher purchased from a participating reseller or manually enrolled into Samsung Knox.

 

Configure Knox profile

1. Sign in to Samsung Knox and launch “Knox Mobile Enrollment”

 

2. Select “MDM Profiles” on the left and press “Create Profile”.

 

3. Select profile type “Device Owner”.

 

4. Enter the following fields:

Profile Name

Enter a profile name

Pick your MDM

Microsoft Intune

Enter the MDM Agent APK

https://aka.ms/intune_kme_deviceowner

 

 

5. Wait for the “MDM agent APK” to be verified, this can take up to 10 minutes and press “Continue”

 

6. Enter the following Custom JSON and replace the <Enrollment Token> With your Corporate Device Enrollment Token.

{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "<Enrollment Token>"}
Root/intermediate certificate Not needed
Dual DAR No
QR Code for enrollment With this option  devices can be enrolled without being uploaded by reseller

Example: Corporate-owned fully managed device enrollment token

 

7. In this example I’ve selected “add a QR code”. With this code you can enroll a device (Android 10 or higher) in Intune using the Samsung Plus gesture on the welcome screen. In the QR code you can also add a wifi configuration.

Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi via the QR code before downloading the profile information associated with the device.

 

8. Enter the following information and press “Create” to finish the profile creation.

System applications

Enable or disable system applications

Add legal Agreement (optional)

Add a custom Legal agreement

Company Name

Enter your company name.

 

9. If QR has been enabled the QR will be created displayed and send by mail. You can also download or print the QR Code. Press “OK” to continue.

 

10. The Profile is now created and can be assigned to devices.

 

Test Knox profile

 

11. Assign the created MDM profile to the testdevice and Factory reset the test device.

 

12. Select the language and press “->”.

 

13. Press “OK” to continue and choose a network to connect.

 

14. The Knox enrollment Service will be updated.

 

15. Instead of the Google Sign in page, the Set up your device screen for Knox appears. Press “Accept & continue” to continue.

 

 

16. The configured Intune enrollment will now be applied.

 

17. Depending on the configured enrollment profile a “Microsoft sign in page” (fully managed / corp with work profile) or the “Android home screen” (dedicated) will be shown. In this example a fully managed profile is configured which requires a sign in.

 

Sources:

Samsung

Microsoft

3 thoughts on “Samsung Knox Mobile Enrollment with Intune

  1. Luka

    Hi Aad,

    Great article, cleared up a few things! Quick question on QR code. Should it not work so that the QR code is scanned from android welcome/boot screen and then it gets enrolled. Like with the enrollment token in intune? I actually tried and it returns that the QR code is incorrect

    Thank you!
    Luka

    Reply
    1. Aad Lutgert Post author

      Hi Luka,

      Thanks for reply. That’s correct the QR code should work the same as with Intune, but the Android OS needs to be at least Version 10. I haven’t tested it yet myself, but that’s according the Samsung documentation:

      The QR code profile configuration is defined within the KME console’s Device Owner profile settings screen by selecting the ADD QR CODE button that is only available for Android 10 devices. (source)

      best regards,

      Aad

      Reply
      1. Yonathan

        great article!
        had the same problem using the QR.
        apparently, there’s a difference between the QR scanner you get when tapping on the screen and the one you choose from the enrollment “swipe” menu. the QR only works on the swipe menu. i think the QR scanner that opens when tapping on the screen is inteded for the “direct” intune QR code, not the knox one.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *