Mobility-focused IT managers know the benefits of mobile device management (MDM) and enterprise mobility management (EMM) solutions for their fleets of smartphones and tablets. From a central console, they can keep devices secure and up-to-date by setting policies and device configurations, managing apps, and locating and wiping lost or stolen devices. But there’s still one time-consuming task on the list for large mobile deployments: registering devices to the MDM/EMM tools.

Each MDM/EMM tool works differently, but generally, enrollment requires the end user to find and install a software package from an app store or IT server, enter some company-specific information and then log in with their enterprise credentials to register the device to the MDM/EMM portal. If the device serial number wasn’t preloaded by the IT manager, someone has to log in to the MDM/EMM tool and select the correct profile for the user.

To shorten the road to mobile security, look to Knox Mobile Enrollment.

How does Knox Mobile Enrollment work?

Knox Mobile Enrollment (KME) is a cloud-based service that can be used to register any Samsung smartphone or tablet to your MDM/EMM. KME depends on two bits of wizardry: a preloaded list of serial numbers attached to a company, and Samsung Knox-enabled devices automatically connecting to the KME service when they are first turned on.

Shop special offers

Find out about offers on the latest Samsung technology.

see deals

Speak to a solutions expert

Get expert advice from a solutions consultant.

Talk to an expert

The first magic trick relies on resellers working with their customers to simplify device setup. When an IT manager wants to use KME, they set up a company account on the KME service, and then authorize their preferred Samsung reseller to add devices to their KME environment. When the reseller is about to ship devices, they load the IMEI numbers into their KME portal and associate them with the company buying them, which activates them in the KME portal. In effect, the IT manager knows about the IMEI numbers of their devices before they hit their loading dock and can even assign devices to particular users, sight unseen. The whole process seems even more magical when a reseller drop-ships a device directly to the end user, because the device begins enrollment and learns what company owns it the moment the device is turned on.

That’s the second bit of wizardry: the Samsung mobile device itself. When the device is first booted and connects to the internet, whether through Wi-Fi or a carrier’s data network, it touches base with a Samsung Knox server, sending over its IMEI number. If the number is known and mapped to a company, then the whole mobile enrollment process immediately initiates. For the end user receiving a new device, mobile enrollment is automatic, so they can skip the usual device setup wizard.

Flexible functionality

To enable automated enrollment, all IT managers have to do is build a profile for the device so that it can enroll into their preferred MDM/EMM toolkit. KME supports almost two dozen different MDM/EMM tools, including the usual big names: VMware, MobileIron, Microsoft Intune, BlackBerry UEM, Citrix, IBM MaaS360, Kaspersky, Sophos and of course, Samsung’s own cloud-based EMM solution, Knox Manage.

KME profiles have only a few settings, as the goal is just to get the device enrolled into the MDM/EMM and not be a full configuration toolkit. IT managers have to specify which MDM/EMM they are using, any MDM-specific information that is needed, whether or not the MDM/EMM enrollment and setup wizards are optional and how the user will be authenticated to the MDM/EMM tool.

KME includes a variety of authentication options flexible enough for most environments. IT managers can require end users to provide their own username and password to finish the enrollment, use a single shared credential to get the enrollment process running or — for MDM/EMM tools that support it — use a one-time password generated by the MDM/EMM tool to securely link to a particular user without asking for a password. IT managers can even load usernames and passwords into KME, which works well for dedicated single-application devices installed into kiosks.

In addition to the bulk enrollment process, KME offers several alternative enrollment approaches for smaller deployments or one-off registration to the MDM as well. To quickly add devices, IT admins can use NFC, Bluetooth or Wi-Fi Direct to quickly initiate enrollment.

To support intranet-only environments, KME offers an on-premises version called KME Direct. To use KME Direct, an IT admin downloads a PC app and creates profiles with the necessary device content such as settings, restrictions and apps. The app generates a QR code that’s used to deploy profiles to groups of devices. Users scan the QR code from their devices, which connects it to the enterprise’s network, enrolls it in the EMM and applies the profile to configure the device.

End-to-end security

Another unique strength of KME is that once your devices are enrolled, the MDM controls can’t be rolled back unless the IT admin unenrolls the device. If an end user or malicious actor performs a factory reset or uninstalls the EMM agent from the device, KME will automatically reinitiate the enrollment process upon reboot.

KME also helps address the risk of devices being bricked when an end user can’t remember their user credentials after a factory reset. IT can disable Android factory reset protection so devices can be recovered even if credentials are lost.

Mobile device management for beginners

White Paper

Get started with MDM so your organization can spend less and do more — securely and efficiently. Download Now

KME is also one of several solutions bundled in Knox Suite, along with Knox Manage, Knox Platform for Enterprise (KPE), Knox E-FOTA and Knox Asset Intelligence. Organizations can achieve comprehensive life cycle device management with a single license and one sign-on with the suite option.

For end users, KME speeds up the process of getting started with their new smartphone. For IT managers, it ensures that devices start with a secure configuration from the first boot and are immediately linked to the enterprise MDM/EMM tool. It’s a win-win solution. And it’s completely free.

Discover how Knox Suite extends the value of Samsung Knox with a complete enterprise security solution. And if you’re just getting started on your MDM journey, this free guide can help you hit the ground running.

Avatar photo

Posts By

Prasad Rayala

Prasad Rayala is a product manager at Samsung Electronics America, focused on the Knox mobile management and security offerings. He joined Samsung as a mobility consultant in 2013 and has helped Knox evolve into a comprehensive suite of mobile security products.

View more posts by Prasad Rayala