Home
Insight08.04.2021

Samsung KME Android Legacy

Samsung Knox Mobile Enrollment with device administrator

The following quick guide describes the changes to the enrollment process for KME with Relution Server 4.62 or later and Relution for Android 3.86 or later. These changes allow Samsung devices with Android 10 to be enrolled. The enrollment type device administrator is no longer supported as of Android 11.

The previous instructions are here.

This document highlights the changes from the previous process. The rest of the process remains unchanged.

Creating a new profile

As before, a profile must be created on the Knox Mobile Enrollment Portal from Samsung.

insight-samsung_kme-01-en.png

For this purpose, after the login on Samsungknox.com first click on "Launch Console" in the "Knox Mobile Enrollment" area.

In the Knox Mobile Enrollment Console you have to switch to "MDM Profiles" in the left menu and press the button "Create Profile".

insight-samsung_kme-02-en.png

In the following selection dialog "Device Admin" must be selected as profile type.

insight-samsung_kme-03-en.png

A profile of the type "Device Owner" is currently not yet supported.

Configure profile

In the new profile, the option "Server URI not required for my MDM" must be selected, unlike before. The previous option no longer works on devices starting with Android 10, as Samsung has switched off the necessary infrastructure.

insight-samsung_kme-04-en.png

Since Relution still supports on-premise installations, the server URL must now be transmitted to the client in a different way. The configuration is done on the following pages.

In the new profile, the MDM client to be installed on the device during enrollment must first be specified. Unlike before, this can no longer be determined automatically, as Samsung no longer has a direct connection to our MDM server.

insight-samsung_kme-05.1-de.png

Here the following URL https://repo.relution.io/apps/android/latest/Relution-normal-release.apk must be used to install the current release version of Relution for Android on the device. For customers with a white label version, the URL may vary accordingly.

Subsequently, "Custom JSON Data" must be stored, which is transmitted to the MDM client after installation.

insight-samsung_kme-06-en.png

The protocol (HTTPS) followed by the host name of the MDM server must be entered here.

The JSON file consists of:

{ "server" : "https://<hostname>" }

Here, the <hostname> Needs to be replaced with the host name of the MDM server. For the cloud instance of MWAY ("https://live.relution.io") the corresponding JSON is as follows:

{ "server" : "https://live.relution.io" }

The new profile can then be saved.

The new profile must now be assigned to the mobile device, as was the case in the previous process.

When the Device is started for the first time (or after a Factory Reset), it is assigned the profile by Samsung's KME Server, the Relution App is installed on the Device and the enrollment process is started.

Enrollment

The registration procedure on the mobile device is identical to the previous procedure, except for one change. Since the Samsung server no longer communicates directly with the MDM server, the enrollment is no longer generated automatically.

It is therefore now necessary for the user to log on to the mobile device during enrollment.

insight-samsung_kme-07-en.png

On log-in, an enrollment is automatically generated for the user, provided the following prerequisites are met:

  1. There is an auto-enrollment for this device with the corresponding serial number. As before, the devices must have been imported from the Samsung portal before enrollment.
  2. The Auto-Enrollment is either assigned to the "Device User" group or the corresponding user.

If no auto-enrollment is available, the auto-enrollment cannot be found using the serial number or is assigned to a different user, the enrollment process fails.