Home
Insight19.01.2022

Samsung KME with Android Enterprise

Why do you need Samsung Knox Mobile Enrollment (KME)?

With KME, Samsung devices can be quickly and easily prepared for management in a Mobile Device Management (MDM) system. The enrollment of company-owned, administration-owned or school-owned devices can thus be done quickly without the need to manually enroll each device individually. This results in huge time savings especially when dealing with a large number of devices. The setup of the devices is started automatically as soon as they are put into operation and an Internet connection is established. Even if devices registered in the KME program are reset, they automatically re-enroll in the MDM system used. The KME program thus offers similar functions to Apple’s Device Enrollment Program (DEP).

What are the requirements for using KME?

First, Relution must be set up to use Android Enterprise. The individual steps are described in the Insight Android Enterprise setup. Samsung devices can be registered in the KME program by authorized dealers with the serial number. If the devices were not procured from an authorized dealer, Samsung also offers the option of adding devices to the KME program manually at a later date. For this, either a special QR code has to be scanned during the device setup or the Knox Mobile Deployment App which can be used on an additional Samsung device to set up a new device. The KME program is offered by Samsung free of charge after registration.

What possibilities does the combination with Android Enterprise offer?

Android Enterprise (Device Owner) enrollment via KME is available for all Samsung devices with Android 8 or higher. The Android Enterprise mode “Managed Device” (Fully Managed) is available, which is used exclusively for business or educational purposes. The general advantages and possibilities of Android Enterprise with Relution are described in a separate insight Android Enterprise Fully Managed & Work Profile.

How is the configuration done in the KME Portal?

After logging into the Samsung Knox Portal the Knox Mobile Enrollment module can be selected:

insight-samsung_kme_android_enterprise-01-en.png

The next step is to create a new MDM profile in the “MDM Profile” area via the “Create Profile” button:

insight-samsung_kme_android_enterprise-02-en.png

Afterwards, select the profile type “Android Enterprise”:

insight-samsung_kme_android_enterprise-03-en.png

Note: Samsung KME still supports the Device Administrator deployment method, which is no longer compatible for Android 11 and later devices. For more information, see Samsung KME with Android Legacy.

What details need to be specified in the KME MDM profile for use with Relution?

  1. Assign a name for the profile. In the school context, one profile should be created per school (similar to how one MDM server is configured per school for Apple DEP).
  2. For enrollment as a company-, administration- or school-owned device (Managed Device), select the "Force Device Owner Enrollment" option in MDM Information.
  3. Select "Other" as the MDM system and paste the default APK for Android Enterprise enrollments from Google at "MDM Agent APK":
https://play.google.com/managed/downloadManagingApp?identifier=setup

Note: Samsung is working to ensure that Relution will be available for selection in the list of MDM systems in the future as part of the Samsung New Learning partnership.

insight-samsung_kme_android_enterprise-04-en.png

What settings need to be made in the KME MDM profile for use with Relution?

  1. Under Device settings, you can define whether system applications are required. If system applications are not allowed, the device is severely restricted. For example, sharing content like photos via WiFi Direct (similar to AirDrop) is not possible. This setting cannot be changed subsequently by the MDM server. Recommendation: System applications should therefore be allowed initially. Unneeded applications can be allowed later via the Samsung Knox Service Plugin.
  2. Indication of the company name or name of the school.
insight-samsung_kme_android_enterprise-05-en.png

Can a Relution multi-enrollment code be used as Custom JSON with Samsung KME?

Relution 5 enables the creation of a multi-enrollment code. This means that any number of devices can be enrolled with one code. The optimization simplifies mass Android enterprise enrollments, for example for class sets or loan devices at schools, but also for enrollments of Bring Your Own Device (BYOD) devices with iOS.

When creating an enrollment, the “Multiple enrollment” button must be activated for this purpose in the “Expiration date & notification” configuration step.

insight-samsung_kme_android_enterprise-06-en.png

The multi-enrollment code for a multiple enrollment can be obtained in Relution in the list view of the created enrollments by clicking on the QR code icon per row element and in the subsequent dialog box under “Means DPC Identifier” -> “KME Custom JSON”. Or on the enrollment detail page under “Enrollment Information” -> “KME Custom JSON”. The Custom JSON can be conveniently copied here for further use in the Samsung Knox portal in both places.

insight-samsung_kme_android_enterprise-07-en.png
insight-samsung_kme_android_enterprise-08-en.png

Automatic enrollment of Samsung Knox Mobile Enrollment (KME) devices running Android Enterprise is also simplified by transferring the multi-enrollment code from Relution via Custom JSON to the MDM profile at Samsung KME.

For this purpose, the Custom JSON is entered in the input field “Custom JSON data" (according to MDM definition) in the following format:

{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"ECWSXBLUOGEHGVQVRHXL"}
insight-samsung_kme_android_enterprise-09-en.png

Manual scanning of the Android Enterprise Enrollment Code from the Relution Portal is thus no longer necessary and enrollment can be further automated.

What are the advantages of a QR code with WiFi configuration for enrollment in the KME MDM profile and how can it be added to the profile?

By maintaining a WiFi configuration in the KME MDM profile, the setup of devices can be optimized. By scanning this QR code in the course of device setup, a connection to the WiFi is thus automatically established. This eliminates the need to manually enter the WiFi password on each device. Especially when enrolling more than 10 devices, this leads to significant time savings.

A separate dialog appears via the “Add QR code” button. A WiFi SSID can be specified here. In addition, the encryption (security) and the WiFi password can be stored. This setting is only available for devices with the Android 10 operating system and higher.

insight-samsung_kme_android_enterprise-10-en.png

Note: When maintaining the WiFi configuration in the KME MDM profile, an additional checkbox can be activated so that devices are subsequently added in the KME program during setup and automatically assigned to the MDM profile. This is only necessary if the devices were not purchased from an authorized dealer or were not automatically added in the KME.

After the settings have been saved and the MDM profile has been created, a QR code is automatically created in the KME portal for the MDM profile. This also contains the WiFi configuration information.

HOW CAN AN MDM PROFILE BE ASSIGNED TO A DEVICE IN THE KME PORTAL?

MDM profiles can also be assigned to devices manually in the KME portal. This is necessary, for example, if no QR code has been created for the device setup in the Android Enterprise profile settings or if the operating system of the devices is older than Android 10 and therefore not QR code compatible.

insight-samsung_kme_android_enterprise-11-en.png
insight-samsung_kme_android_enterprise-12-en.png

What are the preconditions for automatic enrollment of Samsung Knox devices with Android Enterprise in Relution?

It must be ensured that the respective organization in Relution, in which the Samsung Knox device is enrolled, is linked to a Google organization. Instructions for linking are described in the Insight Android Enterprise set up in Relution.

Afterwards, an Android Enterprise “Managed device” enrollment with the following settings must be created in Relution under “Devices -> Enrollments” for each Samsung Knox device:

  1. Platform: Android Enterprise
  2. Type: Managed device
  3. Ownership: Company device (COD).
insight-samsung_kme_android_enterprise-13-en.png

How are Samsung Knox devices automatically enrolled via KME?

The following steps are necessary for the initial startup of Samsung Knox devices:

  1. Right at the beginning, you can switch to the KME Configuration Wizard on the device. To do this, a "+" sign must be physically "drawn" with the finger on the initial "Let's go" screen on the device.
  2. The wizard offers various options. On the one hand, the setup can be done via Bluetooth and WiFi Direct with another device on which the Samsung Knox Deployment app has been set up. Or, the recommended convenient setup via QR code can be performed for devices with Android 10 or higher.

Note: The QR code generated in the KME portal for the MDM profile (see above) is scanned and not the enrollment QR code from Relution is used. It is important to note that the QR code of the MDM profile can be used for any number of devices. Only if several MDM profiles, e.g. with different WiFi configurations, have been created, it must be ensured that the correct QR code is used when scanning.

  1. After initiation, several configurations are performed on the device, some of which have to be confirmed manually. For example, the WiFi connection is established, the MDM profile from the KME portal is loaded onto the device, and then the enrollment for Android Enterprise is prepared. If the standard Android setup wizard is used instead of the KME Configuration Wizard, the KME Configuration Wizard is automatically activated after a WiFi connection is established in the standard Android setup dialog. The MDM profile assigned to the device in the KME portal is then loaded and the other configuration steps are triggered automatically.
insight-samsung_kme_android_enterprise-14-en.png
insight-samsung_kme_android_enterprise-15-en.png
insight-samsung_kme_android_enterprise-16-en.png
insight-samsung_kme_android_enterprise-17-en.png
insight-samsung_kme_android_enterprise-18-en.png
  1. In the further course of the enrollment process, the device is then paired with the MDM system. For this purpose, the Relution enrollment QR code is required to complete the enrollment. It is important to note that an individual QR code from a separately created enrollment in Relution must be used for each individual device.
insight-samsung_kme_android_enterprise-19-en.png
insight-samsung_kme_android_enterprise-20-en.png
insight-samsung_kme_android_enterprise-21-en.png

Note: If a multi-enrollment code has been created in Relution, it can be used for multiple devices. In addition, this step is automatically skipped if a custom JSON with the multi-enrollment code has been maintained in the KME MDM profile.

  1. Depending on the configuration of the enrollment in Relution, a passcode or a pattern must be defined. If no separate protection of the device is desired in the enrollment, this setup step is skipped.
  2. If a (default) policy was assigned to the device during enrollment, in which managed apps for automatic installation or other configurations are also assigned, these are automatically applied to the device.
insight-samsung_kme_android_enterprise-22-en.png

Related links