Citrix Endpoint Management

Samsung Knox bulk enrollment

To enroll multiple Samsung Knox devices into Endpoint Management without manually configuring each device, use Knox Mobile Enrollment. The enrollment occurs upon first-time use or after a factory reset. Admins can also pass usernames and passwords directly to the device, so users don’t need to enter any information upon enrollment.


The setup for Knox Mobile Enrollment is not related to the Endpoint Management Knox container. For more information on Knox Mobile Enrollment, see the Knox Mobile Enrollment Admin Guide.

Prerequisites for Knox Mobile Enrollment

  • Endpoint Management must be configured (including licenses and certificates) and running.
  • Secure Hub APK file. You upload the file when setting up Knox Mobile Enrollment.
  • For a list of KME requirements, see the Knox Mobile Enrollment Introduction.
  • Samsung Knox Platform for Enterprise (PKE) license, required to apply device policies. Provide the license key in the Endpoint Management device policy, Knox Platform for Enterprise.

To download the Secure Hub APK file

Go to the Google Play store to download the Citrix Secure Hub for Android file.

Configure firewall exceptions

To access Knox Mobile Enrollment, configure the following firewall exceptions. Some of these firewall exceptions are required for all devices and some are specific the device’s geographical region.

Device Region URL Port Destination
All 443 Global load balancer for Knox Mobile Enrollment initiation
All 80 Global load balancer for Knox Mobile Enrollment initiation on some limited legacy devices
All 443 Samsung agent update servers
All 80 Knox Mobile Enrollment customer EULAs
All 443 Knox Mobile Enrollment customer EULAs
All 443 Samsung servers for IMEI verification
United States 443 Samsung Enterprise Gateway for US region
Europe 443 Samsung Enterprise Gateway for European region
China 443 Samsung Enterprise Gateway for China region


You can find a full list of firewall exceptions in the Knox Mobile Enrollment Admin Guide.

Getting access to Knox Mobile Enrollment

Follow Samsung documentation to get access to Knox Mobile Enrollment at Get started with KME.

Setting up Knox Mobile Enrollment

After you get access to Knox Mobile Enrollment, log in to the Knox portal.

The enrollment process follows these general steps.

  1. Create an MDM profile with your MDM console information and settings.

    The MDM profile indicates to your devices how to connect to your MDM.

  2. Add devices to your MDM profile.

    You can either upload a CSV file with device information or install and use the Knox deployment app from Google Play.

  3. Samsung alerts you when device ownership is verified.

  4. Provide users with MDM credentials. Instruct them to connect to the Internet using Wi-Fi and to accept the prompt to enroll their device.

To create an MDM profile

Follow the steps outlined in the Samsung documentation on Profile Configuration.

When you encounter the following fields or steps, configure them as described:

  • Pick your MDM: Select Citrix from the menu. Only for device owner profiles.
  • MDM Agent APK: Only for device owner profiles. Type the Secure Hub APK download URL:

    The APK file can reside on any server that the devices can access during enrollment. During enrollment, a device:

    • Downloads Secure Hub from APK download URL
    • Installs Secure Hub
    • Then opens Secure Hub with the custom JSON data described next.

    The capitalization of the .apk file name must match the URL you enter. For example, if the file name is all lowercase, it must also be all lowercase in the URL.

  • MDM Server URI: Do not specify an MDM server URI. Endpoint Management does not use the Samsung MDM protocol.
  • Custom JSON Data: Secure Hub needs the Endpoint Management server address plus the username and password for enrollment. You can provide that data in JSON so that Secure Hub doesn’t prompt users for it. Secure Hub prompts users for server address, username, or password only if the field is omitted from the JSON.

    The format for custom JSON data is:

    {"serverURL": "URL"}

    In this example, typical for bulk enrollment, Secure Hub doesn’t prompt users for the server address or their credentials during enrollment:

    {"serverURL":""} {"serverURL":""}

    In this example, typical for kiosk-based devices, Secure Hub prompts users for their credentials:


    To enroll devices in the work profile on corporate-owned devices mode, add {"desiredProvisioningMode":"managedProfile"} to the custom JSON. See the following example:

    {"serverURL":"", "desiredProvisioningMode": "managedProfile"}

    You can copy the following code block as a starting point for your JSON:


When a device starts enrollment, the device downloads Secure Hub from the given URL, installs Secure Hub, and opens Secure Hub.

You can also use the Android zero-touch enrollment feature to enroll devices. For more information, see Zero-touch enrollment.

Further configuration

See the following Samsung documentation pages for more information on configuration:

To enroll devices running a Knox API earlier than version 2.4

On devices that have the Knox API earlier than version 2.4, bulk enrollment doesn’t start during the initial device setup. Instead, users must initiate enrollment. To do that, users go to a Samsung site to download the new Mobile Enrollment client and start the enrollment.

The downloaded enrollment client uses the same MDM profile and APKs configured in the Knox Bulk enrollment portal for the Knox 2.4/2.4.1 devices.

Users typically follow these steps:

  1. Turn on the device and connect to Wi-Fi. If the Mobile Enrollment doesn’t start or Wi-Fi is not available, do the following:

    1. Go to Samsung Knox Mobile Enrollment.

    2. Tap the Next button to enroll devices with mobile data.

  2. When the prompt Enroll with Knox appears, tap Continue.

  3. Read the EULAs (if available). Tap Next.

  4. If prompted, enter the User ID and Password provided by the IT administrator.

At this point, the user credentials are validated and their device is enrolled in your organization’s enterprise IT environment.

Enable and disable biometric authentication for Samsung devices

Endpoint Management supports fingerprint and iris scan authentication, also known as biometric authentication. You can enable and disable biometric authentication for Samsung devices without requiring any action from users. If you disable biometric authentication in Endpoint Management, users and third-party apps cannot enable the feature.

  1. In the Endpoint Management console, click Configure > Device Policies. The Device Policies page appears.

  2. Click Add. The Add New Policy page appears.

  3. Click Passcode. The Passcode Policy information page appears.

  4. In the Policy Information pane, enter the following information:

    • Policy Name: Type a descriptive name for the policy.
    • Description: Optionally, type a description of the policy.
  5. Click Next. The Platforms page appears.

  6. Under Platforms, select Android or Samsung Knox.

  7. Set Configure biometric authentication to On.

    The Configure biometric authentication option

Samsung Knox bulk enrollment