Use Samsung Knox Mobile Enrollment to Empower the Enrollment of Samsung Devices to WS1 UEM
While Workspace ONE UEM supports a lot of different options to enroll a Device, if it is a Samsung Device then Samsung Knox Mobile Enrollment (KME) is definitely a good option. While Samsung supports ZeroTouch also, still a lot of “Samsung” only Android Customers are Leveraging KME as it is easy and quick to setup. Also adding devices via NFC or Bluetooth with the “Knox Deployment” App simplifies things when devices are not central purchased. This devices can be enrolled within minutes to Workspace ONE UEM with the help of Samsung KME.
Creating Profiles
Profiles have the configuration for a group of devices, everything you put in here is used by the Devices that have the Profile assigned. To create a Profile , go to “Profiles” in Samsung Knox Mobile Enrollment and Click to Create Profile:
Once done, select the profile type , recommend to do “Android Enterprise” as Legacy is not recommended for new enrolments. If you select Legacy and UEM is set to Android Enterprise it will enroll as Work Profile. Note that in this scenario some Flags might not work as it is not expected that a Company owned device gets enrolled as Work Profile.
Give the Profile a Name, select “Workspace ONE UEM” as MDM, in case you want to use a Specific Version of Hub to enroll & not that latest, you can update the “MDM Agent URL” to you specific URL, while the default will work as well. Specify your Device Services server name , so that this URL is already added to the Hub before enrollment.
Once Done , Enter the Custom JSON Data (details in next part of the Blog called “Custom JSON Data“) . If your Device Service Server is using a untrusted Root CA / Chain as SSL Certificate you can upload the Root CA here as well. This is not Recommended , but there might be some Use-Cases for this.
If you want all the System Apps on the Phone enable or just the Basic once you specify it here.
Also the Company Name (visible for the User on Enrollment can be specified here.
To avoid useless steps I recommend on ticking the box for Android 12 to “skip setup screens” that are not required.
Custom JSON Data
As the Custom Data is JSON it all have to be in the curly brackets, Separated by commas and the Flag with the Value have to have a colon between. All Falgs an Values need be in quotation marks . Here a Sample of the Custom JSON
{"groupid":"Customer123","un":"StagingUsername","pw":"Password1!","useUEMAuthentication":"true","allowUnpinning":"false","disableSafeBoot":"true"}
To get a deeper understanding of the Values and their meaning here a short list of the most important Flags that you can set:
Value | Explanation | Sample |
groupid or gid (Both works) | specifies WS1 UEM OG where the device is being enrolled | Customer123 |
un | specifies Username of the User or the Staging User | StagingUsername |
pw | specifies Password of the User or the Staging User | Password1! |
useUEMAuthentication | specifies if WS1 Access as source of Authentication is selected, this key enabled the Staging to use UEM Authentication | true |
allowUnpinning | specifies if the User is allowed from leaving the Hub App until the Enrollment is finished or not | false |
disableSafeBoot | specifies if user is allowed to go into safe boot mode or not | true |
disableUsbDebugging | specifies is user is allowed to enable debugging options | true |
disableInstallUnknownSources | specifies if non-market apps are allowed to install | true |
EnableAllFileAccessPermission | to Support the changes on “Scoped Storage” on Android you can force the prompt during enrollment | true |
You can add all supported Flags that are listed for Android Zero Touch within the “android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE” but there is a limitation of 2000 characters withing Samsung Knox Mobile Enrollment.
Specify Username & Password for a Single Device
While a Profile is used for a group of devices, I use for example a User ID and Password per Device to directly enroll. Therefore I do not enter a Username or Password in the Profile, i add it to the Device itself. This gets applied to the Device on Enrollment and Hub can consume it.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.