With KME, Samsung devices can be quickly and easily prepared for management in a mobile device management (MDM) system. The enrollment of company-owned, administration-owned or school-owned devices can thus be done quickly without the need to manually enroll each device individually. This results in huge time savings especially when dealing with a large number of devices. The setup of the devices is started automatically as soon as they are put into operation and an Internet connection is established. Even if devices registered in the KME program are reset, they automatically re-enroll in the MDM system used. The KME program thus offers similar functions to Apple’s Device Enrollment Program (DEP).
First, Relution must be set up to use Android Enterprise. The individual steps are described in insight Android Enterprise setup.
Samsung devices can be registered in the KME program by authorized dealers with the serial number. If the devices were not procured from an authorized dealer, Samsung also offers the option of adding devices to the KME program manually at a later date. For this, either a special QR code has to be scanned during the device setup or the Knox Mobile Deployment App which can be used on an additional Samsung device to set up a new device. The KME program is offered by Samsung free of charge after registration.
Android Enterprise (Device Owner) enrollment via KME is available for all Samsung devices with Android 8 or higher. The Android Enterprise mode “Managed Device” (Fully Managed) is available, which is used exclusively for business or educational purposes. The general advantages and possibilities of Android Enterprise with Relution are described in a separate insight Android Enterprise Fully Managed & Work Profile.
After logging into the Samsung Knox Portal the Knox Mobile Enrollment module can be selected:
The next step is to create a new MDM profile in the “MDM Profile” area via the “Create Profile” button:
Afterwards, select the profile type “Android Enterprise”:
Note: Samsung KME still supports the Device Administrator deployment method, which is no longer compatible for Android 11 and later devices. For more information, see Samsung KME with Android Legacy
Note: Samsung is working to ensure that Relution will be available for selection in the list of MDM systems in the future as part of the Samsung New Learning partnership.
Relution 5 enables the creation of a multi-enrollment code. This means that any number of devices can be enrolled with one code. The optimization simplifies mass Android enterprise enrollments, for example for class sets or loan devices at schools, but also for enrollments of Bring Your Own Device (BYOD) devices with iOS.
When creating an enrollment, the “Multiple enrollment” button must be activated for this purpose in the “Expiration date & notification” configuration step.
The multi-enrollment code for a multiple enrollment can be obtained in Relution in the list view of the created enrollments by clicking on the QR code icon per row element and in the subsequent dialog box under “Means DPC Identifier” -> “KME Custom JSON”. Or on the enrollment detail page under “Enrollment Information” -> “KME Custom JSON”. The Custom JSON can be conveniently copied here for further use in the Samsung Knox portal in both places.
Automatic enrollment of Samsung Knox Mobile Enrollment (KME) devices running Android Enterprise is also simplified by transferring the multi-enrollment code from Relution via Custom JSON to the MDM profile at Samsung KME.
For this purpose, the Custom JSON is entered in the input field “Custom JSON data (according to MDM definition) in the following format:
Manual scanning of the Android Enterprise Enrollment Code from the Relution Portal is thus no longer necessary and enrollment can be further automated.
By maintaining a WIFI configuration in the KME MDM profile, the setup of devices can be optimized. By scanning this QR code in the course of device setup, a connection to the WIFI is thus automatically established. This eliminates the need to manually enter the WIFI password on each device. Especially when enrolling more than 10 devices, this leads to significant time savings.
A separate dialog appears via the “Add QR code” button. A WIFI SSID can be specified here. In addition, the encryption (security) and the WIFI password can be stored. This setting is only available for devices with the Android 10 operating system and higher.
Note: When maintaining the WIFI configuration in the KME MDM profile, an additional checkbox can be activated so that devices are subsequently added in the KME program during setup and automatically assigned to the MDM profile. This is only necessary if the devices were not purchased from an authorized dealer or were not automatically added in the KME.
After the settings have been saved and the MDM profile has been created, a QR code is automatically created in the KME Portal for the MDM profile. This also contains the WIFI configuration information.
MDM profiles can also be assigned manually to devices in the KME Portal. This is necessary, for example, if no QR code has been created for the device setup in the Android Enterprise profile settings or if the operating system of the devices is older than Android 10 and therefore not QR code compatible.
It must be ensured that the respective organization in Relution, in which the Samsung Knox device is enrolled, is linked to a Google organization. Instructions for linking are described in insight Android Enterprise set up in Relution.
Afterwards, an Android Enterprise “Managed device” enrollment with the following settings must be created in Relution under “Devices -> Enrollments” for each Samsung Knox device:
The following steps are necessary for the initial startup of Samsung Knox devices:
Note: The QR code generated in the KME portal for the MDM profile (see above) is scanned and not the enrollment QR code from Relution is used. It is important to note that the QR code of the MDM profile can be used for any number of devices. Only if several MDM profiles, e.g. with different WIFI configurations, have been created, it must be ensured that the correct QR code is used when scanning.
Note: If a multi-enrollment code has been created in Relution, it can be used for multiple devices. In addition, this step is automatically skipped if a custom JSON with the multi-enrollment code has been maintained in the KME MDM profile.