Use Samsung Knox Mobile Enrollment to Empower the Enrollment of Samsung Devices to WS1 UEM

While Workspace ONE UEM supports a lot of different options to enroll a Device, if it is a Samsung Device then Samsung Knox Mobile Enrollment (KME) is definitely a good option. While Samsung supports ZeroTouch also, still a lot of “Samsung” only Android Customers are Leveraging KME as it is easy and quick to setup. Also adding devices via NFC or Bluetooth with the “Knox Deployment” App simplifies things when devices are not central purchased. This devices can be enrolled within minutes to Workspace ONE UEM with the help of Samsung KME.

Creating Profiles

Profiles have the configuration for a group of devices, everything you put in here is used by the Devices that have the Profile assigned. To create a Profile , go to “Profiles” in Samsung Knox Mobile Enrollment and Click to Create Profile:

Once done, select the profile type , recommend to do “Android Enterprise” as Legacy is not recommended for new enrolments. If you select Legacy and UEM is set to Android Enterprise it will enroll as Work Profile. Note that in this scenario some Flags might not work as it is not expected that a Company owned device gets enrolled as Work Profile.

Give the Profile a Name, select “Workspace ONE UEM” as MDM, in case you want to use a Specific Version of Hub to enroll & not that latest, you can update the “MDM Agent URL” to you specific URL, while the default will work as well. Specify your Device Services server name , so that this URL is already added to the Hub before enrollment.

Once Done , Enter the Custom JSON Data (details in next part of the Blog called “Custom JSON Data“) . If your Device Service Server is using a untrusted Root CA / Chain as SSL Certificate you can upload the Root CA here as well. This is not Recommended , but there might be some Use-Cases for this.

If you want all the System Apps on the Phone enable or just the Basic once you specify it here.

Also the Company Name (visible for the User on Enrollment can be specified here.

To avoid useless steps I recommend on ticking the box for Android 12 to “skip setup screens” that are not required.

Custom JSON Data

As the Custom Data is JSON it all have to be in the curly brackets, Separated by commas and the Flag with the Value have to have a colon between. All Falgs an Values need be in quotation marks . Here a Sample of the Custom JSON

{"groupid":"Customer123","un":"StagingUsername","pw":"Password1!","useUEMAuthentication":"true","allowUnpinning":"false","disableSafeBoot":"true"}

To get a deeper understanding of the Values and their meaning here a short list of the most important Flags that you can set:

Value ExplanationSample
groupid or gid
(Both works)
specifies WS1 UEM OG where the device is being enrolledCustomer123
unspecifies Username of the User or the Staging UserStagingUsername
pwspecifies Password of the User or the Staging UserPassword1!
useUEMAuthenticationspecifies if WS1 Access as source of Authentication is selected, this key enabled the Staging to use UEM Authenticationtrue
allowUnpinningspecifies if the User is allowed from leaving the Hub App until the Enrollment is finished or notfalse
disableSafeBootspecifies if user is allowed to go into safe boot mode or nottrue
disableUsbDebuggingspecifies is user is allowed to enable debugging optionstrue
disableInstallUnknownSourcesspecifies if non-market apps are allowed to installtrue
EnableAllFileAccessPermissionto Support the changes on “Scoped Storage” on Android you can force the prompt during enrollment true

You can add all supported Flags that are listed for Android Zero Touch within the “android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE” but there is a limitation of 2000 characters withing Samsung Knox Mobile Enrollment.

Specify Username & Password for a Single Device

While a Profile is used for a group of devices, I use for example a User ID and Password per Device to directly enroll. Therefore I do not enter a Username or Password in the Profile, i add it to the Device itself. This gets applied to the Device on Enrollment and Hub can consume it.

Written by

Website | + posts

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP