The future of the workplace is changing. Learn how Samsung is merging the office with the flexibility of remote work right here.
Mobility-focused IT managers know the benefits of mobile device management (MDM) and enterprise mobility management (EMM) solutions for their fleets of smartphones and tablets. From a central console, they can keep devices secure and up-to-date by setting policies and device configurations, managing apps, and locating and wiping lost or stolen devices. But there’s still one time-consuming task on the list for large mobile deployments: registering devices to the MDM/EMM tools.
Each MDM/EMM tool works differently, but generally, enrollment requires the end user to find and install a software package from an app store or IT server, enter some company-specific information and then log in with their enterprise credentials to register the device to the MDM/EMM portal. If the device serial number wasn’t preloaded by the IT manager, someone has to log in to the MDM/EMM tool and select the correct profile for the user.
To shorten the road to mobile security, look to Knox Mobile Enrollment.
How does Knox Mobile Enrollment work?
Knox Mobile Enrollment (KME) is a cloud-based service that can be used to register any Samsung smartphone or tablet to your MDM/EMM. KME depends on two bits of wizardry: a preloaded list of serial numbers attached to a company, and Samsung Knox-enabled devices automatically connecting to the KME service when they are first turned on.
The first magic piece relies on resellers working with their customers to simplify device setup. When an IT manager wants to use KME, they set up a company account on the KME service, and then authorize their preferred Samsung reseller to add devices to their KME environment. When the reseller is about to ship devices, they load the IMEI numbers into their KME portal and associate them with the company buying them, which activates them in the KME portal. In effect, the IT manager knows about the IMEI numbers of their devices before they hit their loading dock and can even assign devices to particular users, sight unseen. The whole process seems even more magical when a reseller drop-ships a device directly to the end user, because the device begins enrollment and learns what company owns it the moment the device is turned on.
That’s the second bit of wizardry: the Samsung mobile device itself. When the device is first booted and has an internet connection, whether through Wi-Fi or a carrier’s data network, it connects to a Samsung KME server, sending up its IMEI number. If the number is known and mapped to a company, then the whole mobile enrollment process starts immediately. For the end user receiving a new device, KME enrollment is automatic, so they can skip the usual device setup wizard.
In between shipment and enrollment, IT managers have to build a profile for the device so that it can enroll into their preferred MDM/EMM toolkit. KME supports almost two dozen different MDM/EMM tools, including the usual big names: VMware, MobileIron, Microsoft Intune, BlackBerry UEM, Citrix, IBM MaaS360, Kaspersky, Sophos and — of course — Samsung’s own cloud-based EMM solution.
KME profiles have only a few settings, as the goal is just to get the device enrolled into the MDM/EMM and not be a full configuration toolkit. IT managers have to specify which MDM/EMM they are using, any MDM-specific information that is needed, whether or not the MDM/EMM enrollment and setup wizards are optional and how the user will be authenticated to the MDM/EMM tool.
KME includes a variety of authentication options flexible enough for most environments. IT managers can require end users to provide their own username and password to finish the enrollment, use a single shared credential to get the enrollment process running or — for MDM/EMM tools that support it — use a one-time password generated by the MDM/EMM tool to securely link to a particular user without asking for a password. IT managers can even load usernames and passwords into KME, which works well for dedicated single-application devices installed into kiosks.
The Mobile Security Top 10
Get your free guide to better securing the personal and work data on your mobile phone. Download Now
In addition to the bulk enrollment process, KME offers several alternative enrollment approaches for smaller deployments or one-off registration to the MDM as well. To quickly add devices, IT admins can use NFC, Bluetooth or Wi-Fi Direct to quickly initiate enrollment.
Another unique strength of KME is that once enrolled, MDM controls can’t be rolled back unless the IT admin unenrolls the device. If an end user or malicious actor performs a factory reset or uninstalls the EMM agent from the device, KME will automatically re-initiate the enrollment process upon reboot.
KME also helps address the risk of devices being bricked when a end user can’t remember their user credentials after a factory reset. IT can disable Android factory reset protection so that devices can be recovered even if credentials are lost.
KME is also one of four solutions bundled in Knox Suite, along with Knox Platform for Enterprise, Knox Manage and Knox E-FOTA. Organization keep achieve comprehensive lifecycle device management with a single license and one sign-on with the suite option.
For end users, KME speeds up the process of getting started with their new smartphone. For IT managers, it ensures that devices start with a secure configuration from the first boot and are immediately linked to the enterprise MDM/EMM tool. It’s a win-win solution.
Oh, one more thing: it’s completely free.
Discover how Knox Suite extends the value of Samsung Knox with a complete enterprise security solution. Learn best practices for thwarting mobile security breaches and responding when they occur in our guide, Building a Cyber Incident Response Plan.