Product Documentation

Samsung KNOX Bulk Enrollment

Mar 03, 2016

To enroll multiple Samsung KNOX devices into XenMobile (or any Mobile Device Manager) without manually configuring each device, use KNOX Mobile Enrollment. The enrollment occurs upon first-time use or after a factory reset.

메모

The setup for KNOX Mobile Enrollment is not related to the XenMobile KNOX container.

Prerequisites for KNOX Mobile Enrollment

  • Samsung devices running KNOX 2.4 or higher
  • Some devices lacking a device root key (DRK) support Mobile Enrollment with the KNOX 2.4.1 binary. For a list of supported devices, see KNOX Mobile Enrollment. Samsung must whitelist the devices to be enrolled.
  • When you add devices to the KNOX portal, you enter device IMEIs or serial numbers. The only way to bulk enroll is to:
    • Purchase devices from a list of approved Samsung resellers, or
    • Purchase devices from resellers willing to share the IMEIs directly with Samsung. A list of resellers for your country can be obtained from KNOX customer support.

               For details on device verification requirements, contact KNOX Support.

  • KNOX partner account
  • XenMobile server must be configured (including licenses and certificates) and running.
  • Worx Home APK file. You will upload the file when setting up KNOX Mobile Enrollment.

Getting Access to KNOX Mobile Enrollment

If you have a KNOX web portal account

1. Log on to the KNOX web portal and go to your Samsung KNOX Dashboard.

2. Under KNOX Mobile Enrollment, click Get Started.

3. Fill out the applicable fields and then click Apply.

After Samsung approves your application, you will receive a welcome email with instructions on how to start using the KNOX Mobile Enrollment tool. For a faster approval process, provide any essential information, including contact details for your reseller, Samsung sales representative, or any other information that will assist in your approval.

If you don't have a KNOX web portal account

1. On the KNOX Mobile Enrollment page, click Get Started.

2. Fill out the required fields.

3. You will receive an email to confirm your registration with the KNOX portal. Click Complete Registration to continue.

4. Enter and confirm your KNOX web portal password.

5. In your Samsung KNOX Dashboard, under KNOX Bulk Enrollment Program, click Launch KNOX Mobile Enrollment.

6. For faster approval, please provide any essential information; this includes contact details for your reseller, Samsung sales representative, or any other information that will assist in your approval.

Setting Up KNOX Mobile Enrollment

After you get access to KNOX Mobile Enrollment, go to the KNOX portal and click Launch Mobile Enrollment.

localized image

If Samsung cannot authorize the account to use Bulk Enrollment, you will see this screen:

localized image

The enrollment process then follows these general steps, described in detail in the following sub-sections.

1. Create an MDM profile with your MDM console information and settings.

The MDM profile tells your devices how to connect to your MDM.

2. Add devices to your MDM profile.

You can either upload a CSV file with device information or scan the devices with the Mobile Enrollment app from Google Play.

3. Samsung will let you know when device ownership is verified.

4. Provide users with MDM credentials. Instruct them to connect to the Internet using WiFi and to accept the prompt to enroll their device.

To create an MDM profile

You must create an MDM profile that defines the XenMobile server to use. Create one profile per XenMobile server.

1. Log on to the KNOX Mobile Enrollment website.

2. Click the MDM Profiles tab, click Add, and then click Server URI not required for my MDM.

localized image
localized image

Do NOT specify an MDM server URI. XenMobile does not use the Samsung MDM protocol.

3. In the Create an MDM Profile screen, provide the following:

  • A name for the profile.
  • For MDM Agent APK, the Worx Home APK download URL. For example:

http://example.com/zdm/worxhome.apk
https://pmdm.mycorp-inc.net/zdm/worxhome.apk

The APK file can reside on any server that the devices can access during enrollment. During the enrollment, a device downloads Worx Home from that URL, installs Worx Home, and then opens Worx Home with the custom JSON data described next.

  • For Custom JSON Data, the XenMobile server address in the format:
    {"serverURL":"URL"}

    Examples:

{"serverURL":"https://example.com/zdm"}
{"serverURL":"https://pmdm.mycorp-inc.net/zdm"}

Note: worxhome.apk must be uploaded on the specified server (example: https://pmdm.mycorp-inc.net:4443) under the Apps section. This is similar to uploading enterprise apps.

localized image

When a device starts bulk enrollment, the device uses the profile data: First, the device downloads Worx Home from the given URL, installs Worx Home, and opens Worx Home with the custom JSON data as parameter. Then, Worx Home opens the credentials page. Worx Home already has the XenMobile server address, so Worx Home doesn't need to prompt for it.

To add devices by using a CSV file

To add devices, upload device IDs and associate them to one of the previously created MDM profiles. This is best done by uploading a .csv file. The different ways of building the file are documented on the KNOX website, but the simplest way is to enter one IMEI per line, as follows.

메모

You can alternatively add devices by scanning them, as described in the next section.

1. Go to Devices > All Devices and click Upload devices.

localized image

2. Under CSV File Format, click Download file template.

3. Enter information in corresponding columns in the template:

Device info: IMEI, MEID, or serial number
Username (optional): If the user has been provisioned with a user name for your enterprise MDM setup.
Password (optional): If the user has been provisioned with a password for your enterprise MDM setup.
Other info (optional): Any other information that you want to include about the device.

4. Highlight all the cells in the spreadsheet.

5. Right-click the highlighted cells and select Format cells.

6. On the Number tab, under Category, click Text.

7. Click OK.

8. Save the spreadsheet as a .csv file.

To enroll devices by using a .csv file

1. Click the Devices tab.

2. Click Upload Devices.

localized image

3. In the Add Devices dialog, click Browse, select your .csv file and then click Upload.

4. Enter your purchase details. The KNOX Mobile Enrollment tool verifies your purchase details to ensure that each device is enrolled in the proper enterprise.

5. Under Assign to Profile, select the MDM profile that you added.

6. Click Submit.

The All Devices list displays the enrollment status and profile of all the devices that you attempted to enroll. 

Only TIMA-enabled Samsung 2.4 devices are supported out of the box by the Samsung KNOX Mobile Enrollment tool. Also, for a device to successfully enroll in the enterprise, the device must connect to WiFi and users must agree to download and install Worx Home.

To add devices by using Scan

1. Download and install the KNOX Mobile Enrollment app from Google Play.

2. Enter your Samsung Portal credentials and then tap SIGN IN.

3. Tap Scan Devices.

4. Tap Scan new devices.

5. Align the barcode of your device with the red line to scan.

6. If the scan succeeds, the device IMEI appears. Tap Save.

7. Your scanned devices are shown in the scan queue. Tap Upload.

To enroll scanned devices

1. Log on to your KNOX Web Portal account and click Launch Mobile Enrollment.

2. Tap Scanned to view all added devices.

3. Select the devices that you want to enroll and tap Submit selected. To submit all scanned devices, tap Submit all.

4. In the Submit scanned devices pop-up, enter your Purchase details to confirm device ownership.

5. In the Assign MDM profile menu, select the profile to use for device enrollment.

6. Click Submit.

You will receive a confirmation email when the device information is verified.

For security reasons, devices are not immediately assigned to this bulk enrollment account. Samsung first must verify that the devices belong to the entity that is setting up the bulk enrollment account.

For that purpose, the next screen prompts for the identity of the reseller and for matching invoices.

localized image

Important

For legal reasons, Samsung maintains two distinct server groups: Americas and EU. U.S. devices must register with a KNOX account for the U.S. region. EU devices, as well as devices from any other region except China, which is not supported, must register with a KNOX account for the EU region.

A device from the wrong region will actually be accepted into the account, but bulk enrollment will fail on the device with a cryptic error. To check whether the device country code or origin is a non-U.S. country, download the simple Phone Info Samsung app from Google Play.

Enrollment Experience for Users

After the preceding configuration is completed, the first time a user starts a device and connects to the Internet using WiFi, the following sequence of screens appears. The enrollment process starts automatically and users needs to download and install Worx Home and then enter valid credentials on the Worx Home screen to complete the enrollment. 

메모

Enrollment doesn't use a cellular connection to avoid any network costs for the user.

localized image
localized image
localized image

To enroll devices running a KNOX API earlier than version 2.4

On devices that have KNOX API earlier than version 2.4, bulk enrollment will not work out of the box, so users must initiate enrollment by going to a Samsung site to download the new Mobile Enrollment client and start the enrollment.

The downloaded enrollment client uses the same MDM profile and APKs configured in the KNOX Bulk enrollment portal for the KNOX 2.4/2.4.1 devices.

Users typically follow these steps:

1. Turn on the device and connect to WiFi. If the Mobile Enrollment doesn't start or WiFi is not available, do the following:

a. Go to https://me.samsungknox.com.

b. Tap the Enroll button to enroll devices with mobile data.

2. When the prompt Enroll with KNOX appears, tap Continue.

3. Read the EULAs (if available). Tap Next.

4. If prompted, enter the User ID and Password provided by the IT administrator.

At this point, the user’s credentials are validated and their device is enrolled in your organization’s enterprise IT environment.