Insight19.01.2022

Samsung KME Android Enterprise

Why do you need Samsung Knox Mobile Enrollment (KME)?

With KME, Samsung devices can be quickly and easily prepared for management in a Mobile Device Management (MDM) system. The enrollment of company-owned, administration-owned or school-owned devices can thus be done quickly without the need to manually enroll each device individually. This results in huge time savings especially when dealing with a large number of devices. The setup of the devices is started automatically as soon as they are put into operation and an Internet connection is established. Even if devices registered in the KME program are reset, they automatically re-enroll in the MDM system used. The KME program thus offers similar functions to Apple’s Device Enrollment Program (DEP).

What are the requirements for using KME?

First, Relution must be set up to use Android Enterprise. The individual steps are described in the Insight Android Enterprise setup. Samsung devices can be registered in the KME program by authorized dealers with the serial number. If the devices were not procured from an authorized dealer, Samsung also offers the option of adding devices to the KME program manually at a later date. For this, either a special QR code has to be scanned during the device setup or the Knox Mobile Deployment App which can be used on an additional Samsung device to set up a new device. The KME program is offered by Samsung free of charge after registration.

What possibilities does the combination with Android Enterprise offer?

Android Enterprise (Device Owner) enrollment via KME is available for all Samsung devices with Android 8 or higher. The Android Enterprise mode “Managed Device” (Fully Managed) is available, which is used exclusively for business or educational purposes. The general advantages and possibilities of Android Enterprise with Relution are described in a separate insight Android Enterprise Fully Managed & Work Profile.

How is the configuration done in the KME Portal?

After logging into the Samsung Knox Portal the Knox Mobile Enrollment module can be selected:

Configuration overview in the Samsung Knox portal with the selection of the Knox Mobile Enrollment module for device enrollment

The next step is to create a new MDM profile in the “MDM Profile” area via the “Create Profile” button:

Afterwards, select the profile type “Android Enterprise”:

Note: Samsung KME still supports the Device Administrator deployment method, which is no longer compatible for Android 11 and later devices.

What details need to be specified in the KME MDM profile for use with Relution?

Assign a name for the profile. In the school context, one profile should be created per school (similar to how one MDM server is configured per school for Apple DEP).
For enrollment as a company-, administration- or school-owned device (Managed Device), select the "Force Device Owner Enrollment" option in MDM Information.
Select "Other" as the MDM system and paste the default APK for Android Enterprise enrollments from Google at "MDM Agent APK":

https://play.google.com/managed/downloadManagingApp?identifier=setup

Note: Samsung is working to ensure that Relution will be available for selection in the list of MDM systems in the future as part of the Samsung New Learning partnership.

What settings need to be made in the KME MDM profile for use with Relution?

Under Device settings, you can define whether system applications are required. If system applications are not allowed, the device is severely restricted. For example, sharing content like photos via WiFi Direct (similar to AirDrop) is not possible. This setting cannot be changed subsequently by the MDM server. Recommendation: System applications should therefore be allowed initially.
Indication of the company name or name of the school.

Can a Relution multi-enrollment code be used as Custom JSON with Samsung KME?

Relution 5 enables the creation of a multi-enrollment code. This means that any number of devices can be enrolled with one code. The optimization simplifies mass Android enterprise enrollments, for example for class sets or loan devices at schools, but also for enrollments of Bring Your Own Device (BYOD) devices with iOS.

When creating an enrollment, the “Multiple enrollment” button must be activated for this purpose in the “Expiration date & notification” configuration step.

View in the Relution portal with the activated "Multi-Enrollment" option to create a Multi-Enrollment Code for use as Custom JSON

The multi-enrollment code for a multiple enrollment can be obtained in Relution in the list view of the created enrollments by clicking on the QR code icon per row element and in the subsequent dialog box under “Means DPC Identifier” -> “KME Custom JSON”. Or on the enrollment detail page under “Enrollment Information” -> “KME Custom JSON”. The Custom JSON can be conveniently copied here for further use in the Samsung Knox portal in both places.

Overview in the Relution portal with the option "Via DPC Identifier" to display and copy the Multi-Enrollment Code as KME Custom JSON

Automatic enrollment of Samsung Knox Mobile Enrollment (KME) devices running Android Enterprise is also simplified by transferring the multi-enrollment code from Relution via Custom JSON to the MDM profile at Samsung KME.

For this purpose, the Custom JSON is entered in the input field “Custom JSON data" (according to MDM definition) in the following format:

{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"ECWSXBLUOGEHGVQVRHXL"}

Manual scanning of the Android Enterprise Enrollment Code from the Relution Portal is thus no longer necessary and enrollment can be further automated.

What are the advantages of a QR code with WiFi configuration for enrollment in the KME MDM profile and how can it be added to the profile?

By maintaining a WiFi configuration in the KME MDM profile, the setup of devices can be optimized. By scanning this QR code in the course of device setup, a connection to the WiFi is thus automatically established. This eliminates the need to manually enter the WiFi password on each device. Especially when enrolling more than 10 devices, this leads to significant time savings.

A separate dialog appears via the “Add QR code” button. A WiFi SSID can be specified here. In addition, the encryption (security) and the WiFi password can be stored. This setting is only available for devices with the Android 10 operating system and higher.

Note: When maintaining the WiFi configuration in the KME MDM profile, an additional checkbox can be activated so that devices are subsequently added in the KME program during setup and automatically assigned to the MDM profile. This is only necessary if the devices were not purchased from an authorized dealer or were not automatically added in the KME.

After the settings have been saved and the MDM profile has been created, a QR code is automatically created in the KME portal for the MDM profile. This also contains the WiFi configuration information.

HOW CAN AN MDM PROFILE BE ASSIGNED TO A DEVICE IN THE KME PORTAL?

MDM profiles can also be assigned to devices manually in the KME portal. This is necessary, for example, if no QR code has been created for the device setup in the Android Enterprise profile settings or if the operating system of the devices is older than Android 10 and therefore not QR code compatible.

What are the preconditions for automatic enrollment of Samsung Knox devices with Android Enterprise in Relution?

It must be ensured that the respective organization in Relution, in which the Samsung Knox device is enrolled, is linked to a Google organization. Instructions for linking are described in the Insight Android Enterprise set up in Relution.

Afterwards, an Android Enterprise “Managed device” enrollment with the following settings must be created in Relution under “Devices -> Enrollments” for each Samsung Knox device:

Platform: Android Enterprise
Type: Managed device
Ownership: Company device (COD).

Settings in Relution for the automatic enrollment of Samsung Knox devices with Android Enterprise, including platform, type, and ownership definition

How are Samsung Knox devices automatically enrolled via KME?

The following steps are necessary for the initial startup of Samsung Knox devices:

Right at the beginning, you can switch to the KME Configuration Wizard on the device. To do this, a "+" sign must be physically "drawn" with the finger on the initial "Let's go" screen on the device.
The wizard offers various options. On the one hand, the setup can be done via Bluetooth and WiFi Direct with another device on which the Samsung Knox Deployment app has been set up. Or, the recommended convenient setup via QR code can be performed for devices with Android 10 or higher.

Note: The QR code generated in the KME portal for the MDM profile (see above) is scanned and not the enrollment QR code from Relution is used. It is important to note that the QR code of the MDM profile can be used for any number of devices. Only if several MDM profiles, e.g. with different WiFi configurations, have been created, it must be ensured that the correct QR code is used when scanning.

After initiation, several configurations are performed on the device, some of which have to be confirmed manually. For example, the WiFi connection is established, the MDM profile from the KME portal is loaded onto the device, and then the enrollment for Android Enterprise is prepared. If the standard Android setup wizard is used instead of the KME Configuration Wizard, the KME Configuration Wizard is automatically activated after a WiFi connection is established in the standard Android setup dialog. The MDM profile assigned to the device in the KME portal is then loaded and the other configuration steps are triggered automatically.

Start screen in the KME configuration assistant displaying "Let’s go" for initiating the device configuration

Registration options in the standard Android setup assistant to connect a tablet to a company, including Bluetooth, Wi-Fi Direct, and QR code

Display in the KME configuration assistant with a note on establishing the Wi-Fi connection during device initialization

Update process in the KME configuration assistant with a status bar and a note on the update of the registration service

In the further course of the enrollment process, the device is then paired with the MDM system. For this purpose, the Relution enrollment QR code is required to complete the enrollment. It is important to note that an individual QR code from a separately created enrollment in Relution must be used for each individual device.

Display during the enrollment process with the message "This device is not private" and the note "Device is being set up"

Display on the device during the enrollment process with the option "Enroll this device" and a prompt to scan or enter the QR code provided by the IT administrator

Completion of the KME configuration process with the message "Device is being updated"

Note: If a multi-enrollment code has been created in Relution, it can be used for multiple devices. In addition, this step is automatically skipped if a custom JSON with the multi-enrollment code has been maintained in the KME MDM profile.

Depending on the configuration of the enrollment in Relution, a passcode or a pattern must be defined. If no separate protection of the device is desired in the enrollment, this setup step is skipped.
If a (default) policy was assigned to the device during enrollment, in which managed apps for automatic installation or other configurations are also assigned, these are automatically applied to the device.

Home screen of an iPad after successful automatic enrollment via KME for Samsung Knox devices

Latest Insights

Relution and Samsung Knox Native Solution
16.02.2026
Relution and Samsung Knox Native Solution
Relution Parent
13.02.2026
Relution Parent
Relution Files for iOS & Android Enterprise
17.12.2025
Relution Files for iOS & Android Enterprise
Apple makes device migration to Relution easier with iOS 26, iPadOS 26, macOS
29.08.2025
Apple makes device migration to Relution easier with iOS 26, iPadOS 26, macOS
MDM briefly explained
25.07.2025
MDM briefly explained
Geo-zones in MDM: maximum control over mobile devicesGeo-zones in MDM: maximum control over mobile devices
10.03.2025
Geo-zones in MDM: maximum control over mobile devicesGeo-zones in MDM: maximum control over mobile devices
Data protection compliance with Relution - now more than ever
28.02.2025
Data protection compliance with Relution - now more than ever
Relution Kiosk Mode: Safer and easier device management
03.02.2025
Relution Kiosk Mode: Safer and easier device management
Cybersecurity, data protection and innovative solutions with Relution
10.01.2025
Cybersecurity, data protection and innovative solutions with Relution
VPN explained simply: How a virtual private network (VPN) protects your data
16.12.2024
VPN explained simply: How a virtual private network (VPN) protects your data