Samsung Knox bulk enrollment

To enroll multiple Samsung Knox devices into Endpoint Management (or any mobile device manager) without manually configuring each device, use Knox Mobile Enrollment. The enrollment occurs upon first-time use or after a factory reset. Admins can also pass user names and passwords directly to the device, so users don’t need to enter any information upon enrollment.

Note:

The setup for Knox Mobile Enrollment is not related to the Endpoint Management Knox container. For more information on Knox Mobile Enrollment, see the Knox Mobile Enrollment Admin Guide.

Prerequisites for Knox Mobile Enrollment

  • Endpoint Management must be configured (including licenses and certificates) and running.
  • Secure Hub APK file. You upload the file when setting up Knox Mobile Enrollment.
  • For a list of KME requirements, see the Knox Mobile Enrollment Admin Guide.

To download the Secure Hub APK file

  1. Log in to the Citrix download site and go to the Citrix Endpoint Management downloads.

  2. Go to Mobile productivity apps and MDX Toolkit and choose your edition.

  3. Download the Citrix Secure Hub for Android file.

Configure firewall exceptions

To access Knox Mobile Enrollment, configure the following firewall exceptions. Some of these firewall exceptions are required for all devices and some are specific the device’s geographical region.

Device Region URL Port Destination
All https://gslb.secb2b.com 443 Global load balancer for Knox Mobile Enrollment initiation
All https://gslb.secb2b.com 80 Global load balancer for Knox Mobile Enrollment initiation on some limited legacy devices
All umc-cdn.secb2b.com 443 Samsung agent update servers
All bulkenrollment.s3.amazonaws.com 80 Knox Mobile Enrollment customer EULAs
All eula.secb2b.com 443 Knox Mobile Enrollment customer EULAs
All us-be-api-mssl.samsungknox.com 443 Samsung servers for IMEI verification
United States https://us-segd-api.secb2b.com 443 Samsung Enterprise Gateway for US region
Europe https://eu-segd-api.secb2b.com 443 Samsung Enterprise Gateway for European region
China https://china-segd-api.secb2b.com 443 Samsung Enterprise Gateway for China region

Note:

You can find a full list of firewall exceptions in the Knox Mobile Enrollment Admin Guide.

Getting access to Knox Mobile Enrollment

Follow these procedures to get access to Knox Mobile Enrollment.

If you have a Knox web portal account

  1. Log on to the Knox web portal and go to your Samsung Knox Dashboard. To access your Knox web portal, see the Samsung Account site.

  2. Under Knox Mobile Enrollment, click Get Started.

  3. Fill out the applicable fields and then click Apply.

After Samsung approves your application, you receive a welcome email with instructions on how to start using the Knox Mobile Enrollment tool. For a faster approval process, provide any essential information, including contact details for your reseller, Samsung sales representative, or any other information that assists in your approval.

Setting up Knox Mobile Enrollment

After you get access to Knox Mobile Enrollment, go to the Knox portal and then click Launch Mobile Enrollment.

The Launch Mobile Enrollment screen

If Samsung cannot authorize the account to use Bulk Enrollment, you see an error screen.

The enrollment process then follows these general steps, described in detail in the following subsections.

  1. Create an MDM profile with your MDM console information and settings.

    The MDM profile indicates to your devices how to connect to your MDM.

  2. Add devices to your MDM profile.

    You can either upload a CSV file with device information or install and use the Knox deployment app from Google Play.

  3. Samsung alerts you when device ownership is verified.

  4. Provide users with MDM credentials. Instruct them to connect to the Internet using Wi-Fi and to accept the prompt to enroll their device.

To create an MDM profile

Create an MDM profile that defines the Endpoint Management server to use. Create one profile per server.

  1. Log on to the Knox Mobile Enrollment website.

  2. Click MDM Profiles on the left. Click CREATE PROFILE and then choose from the two options available.
    • DEVICE OWNER: For fully managed or dedicated devices. Allows applications to apply policies and restrictions during setup.
    • DEVICE ADMIN: A legacy option that has different options from device owner, including the option to skip device setup.

    Image of the MDM Server Connection option

  3. Once you’ve selected an option, enter thw following information:
    • Profile Name: A descriptive name for the profile
    • Description: A short description to distinguish the profile.
    • Pick your MDM: Select Citrix from the menu. Only for device owner profiles.
    • MDM Agent APK: Only for device owner profiles. Type the Secure Hub APK download URL. For example:

      https://example.com/zdm/securehub.apk

      https://pmdm.mycorp-inc.net/zdm/securehub.apk

      The APK file can reside on any server that the devices can access during enrollment. During the enrollment, a device downloads Secure Hub from that URL, installs Secure Hub, and then opens Secure Hub with the custom JSON data described next.

      Note:

      The capitalization of the .apk file name must match the URL you enter. For example, if the file name is all lowercase, it must also be all lowercase in the URL.

    • MDM Server URI: Do not specify an MDM server URI. Endpoint Management does not use the Samsung MDM protocol.
  4. Click Continue and then configure the following:
    • MDM Agent APK: Only for device admin profiles. Add any number of MDM apps to download automatically during device enrollment.
    • For Custom JSON Data, enter the Endpoint Management server address, user name, and password in the format: {"serverURL": "URL", "xm_username":"Username", "xm_password":"Password"}

      Examples:

      {"serverURL":"https://example.com/zdm", "xm_username":"userN", "xm_password":"password1234"} {"serverURL":"https://pmdm.mycorp-inc.net/zdm", "xm_username":"james.cork", "xm_password":"aDin20_1fa"}

      You can also enter custom JSON for zero-touch enrollment for Android Enterprise.

           {
               "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
               {
                   "serverURL":"URL","xm_username":"username","xm_password":"password"
               }
           }
      

      Note:

      The Secure Hub APK file must be uploaded on the specified server (example: https://pmdm.mycorp-inc.net:4443) under the Apps section. This process is similar to uploading enterprise apps.

      Image of the MDM Profile page

    • Dual DAR: Optionally enable Dual DAR to apply extra layers of encryption on device owner profiles. You can also use a third party crypto app.
    • System apps: For device owner profiles only. Select Disable system apps to disable all apps except for a limited set. Select Leave all system apps enabled to ensure that the device owner profile can access all apps.
    • Enrollment settings: For device admin profiles only. Mark the checkboxes for Skip Setup Wizard or Allow end user to cancel enrollment if you want to allow those options.
    • Privacy Policy, EULAs and Terms of Service: Click ADD LEGAL AGREEMENT to enter a title and text for any sort of policy you want to display during enrollment.
    • Company Name: For device owner profiles only. Type the organization name to display during enrollment.
    • Support contact details: On device admin profiles, edit the following informaton shown upon successful enrollment.:
      • Company Name
      • Company Address
      • Support Phone Number
      • Support Email Address You can also select Save as defualt support contact details to use the same information for other profiles.
    • Associate a Knox license with this profile: On device admin profiles, select this option to pass the Knox license key directly to the device. This allows for easier Knox profile configuration. Image of the MDM Profile page
  5. Click CREATE to finalize the profile.

When a device starts bulk enrollment, the device uses the profile data. First, the device downloads Secure Hub from the given URL, installs Secure Hub, and opens Secure Hub with the custom JSON data as parameter. Secure Hub already has the Endpoint Management address, so Secure Hub doesn’t need to prompt for it. Enrollment occurs automatically, since the JSON file provides credentials as well.

For more information on creating profiles, see Samsung’s documentation at https://docs.samsungknox.com/KME-Getting-Started/Content/create-profiles.htm.

To add devices by using a .csv file

To add devices, upload device IDs and associate them to one of the previously created MDM profiles. Upload a .csv file. The different ways of building the file are documented on the Knox website. The simplest way is to enter one IMEI per line, as follows.

Note:

You can alternatively add devices by scanning them, as described in the next section.

  1. From the Knox Mobile Enrollment site, go to Devices > All Devices and then click Upload Devices.

  2. Under CSV File Format, click Download file template.

  3. Enter information in corresponding columns in the template:

    • Device info: IMEI, MEID, or serial number.
    • Other info: (optional) Any other information that you want to include about the device.

    Note:

    The template includes Username and Password columns. If you are using legacy Android Enterprise and users’ Samsung devices are running versions earlier than Knox 3.0, they cannot sign on with their user name and password in Secure Hub. Therefore, you can leave these columns blank.

    If you are using Android Enterprise and users’ Samsung devices are running Knox 3.0 or later, optionally you can enter a user name and password. The user name and password would have been provisioned to users for the enterprise MDM setup.

  4. Highlight all the cells in the spreadsheet.

  5. Right-click the highlighted cells and then select Format cells.

  6. On the Number tab, under Category, click Text and then click OK.

  7. Save the spreadsheet as a .csv file.

To enroll devices by using a .csv file

  1. Click the Devices tab.

  2. Click Upload Devices.

    The Upload Devices screen

  3. In the Add Devices dialog box, click Browse, select your .csv file and then click Upload.

  4. Enter your purchase details. The Knox Mobile Enrollment tool verifies your purchase details to ensure that each device is enrolled in the proper enterprise.

  5. Under Assign to Profile, select the MDM profile that you added.

  6. Click Submit.

The All Devices list displays the enrollment status and profile of all the devices that you attempted to enroll.

For a device to successfully enroll in the enterprise, the device must connect to Wi-Fi and users must agree to download and install Secure Hub.

To add devices by using scan

  1. Download and install the Knox Mobile Enrollment app from Google Play.

  2. Enter your Samsung Portal credentials and then tap SIGN IN.

  3. Tap Scan Devices.

  4. Tap Scan new devices.

  5. Align the barcode of your device with the red line to scan.

  6. If the scan succeeds, the device IMEI appears. Tap Save.

  7. Your scanned devices are shown in the scan queue. Tap Upload.

To enroll scanned devices

  1. Log on to your Knox Web Portal account and click Launch Mobile Enrollment.

  2. Tap Scanned to view all added devices.

  3. Select the devices that you want to enroll and then tap Submit selected. To submit all scanned devices, tap Submit all.

  4. In the Submit scanned devices pop-up, enter your Purchase details to confirm device ownership.

  5. In the Assign MDM profile menu, select the profile to use for device enrollment and then click Submit.

You receive a confirmation email when the device information is verified.

For security reasons, devices are not immediately assigned to this bulk enrollment account. Samsung first must verify that the devices belong to the entity that is setting up the bulk enrollment account.

For that purpose, the next screen prompts for the identity of the reseller and for matching invoices.

The reseller identification prompt

Important:

For legal reasons, Samsung maintains two distinct server groups: Americas and EU. U.S. devices must register with a Knox account for the U.S. region. EU devices, as well as devices from any other region except China, which is not supported, must register with a Knox account for the EU region.

A device from the wrong region is accepted into the account, but bulk enrollment fails on the device with a cryptic error. To check whether the device country code or origin is a non-U.S. country, download the simple Phone Info Samsung app from Google Play.

Enrollment experience for users

After the preceding configuration is completed, the first time a user starts a device and connects to the Internet using Wi-Fi, the following sequence of screens appears. The enrollment process starts automatically and users needs to download and install Secure Hub and then enter valid credentials on the Secure Hub screen to complete the enrollment.

Note:

Enrollment doesn’t use a cellular connection to avoid any network costs for the user.

To enroll devices running a Knox API earlier than version 2.4

On devices that have Knox API earlier than version 2.4, bulk enrollment does not work out of the box. Therefore, users must initiate enrollment by going to a Samsung site to download the new Mobile Enrollment client and start the enrollment.

The downloaded enrollment client uses the same MDM profile and APKs configured in the Knox Bulk enrollment portal for the Knox 2.4/2.4.1 devices.

Users typically follow these steps:

  1. Turn on the device and connect to Wi-Fi. If the Mobile Enrollment doesn’t start or Wi-Fi is not available, do the following:

    1. Go to Samsung Knox Mobile Enrollment.

    2. Tap the Enroll button to enroll devices with mobile data.

  2. When the prompt Enroll with Knox appears, tap Continue.

  3. Read the EULAs (if available). Tap Next.

  4. If prompted, enter the User ID and Password provided by the IT administrator.

At this point, the user credentials are validated and their device is enrolled in your organization’s enterprise IT environment.

Enable and disable biometric authentication for Samsung devices

Endpoint Management allows you to enable and disable biometric authentication (fingerprint and iris scan authentication) for Samsung devices without requiring any action from users. If you disable biometric authentication in Endpoint Management, users and third-party apps cannot enable the feature.

  1. In the Endpoint Management console, click Configure > Device Policies. The Device Policies page appears.

  2. Click Add. The Add New Policy page appears.

  3. Click Passcode. The Passcode Policy information page appears.

  4. In the Policy Information pane, enter the following information:

    • Policy Name: Type a descriptive name for the policy.
    • Description: Optionally, type a description of the policy.
  5. Click Next. The Platforms page appears.

  6. Under Platforms, select Android or Samsung Knox.

  7. Set Configure biometric authentication to ON.

  8. If you selected Android, under Samsung SAFE, select Allow fingerprint or Allow Iris or both.

    The Configure biometric authentication option