Samsung Knox mobile enrollment

QueBall
Here to help

Samsung Knox mobile enrollment

I have our devices successfully registered for Knox mobile enrollment.  (A big hurdle here is the reseller or distributor must upload the list of serial numbers you purchased and assign it to your knox customer ID.  You have no way of assigning these to your own account without reseller assistance.)  This is similar to the Apple device enrollment program (DEP) in many ways.  

 

Now I have been testing a variety of MDM solutions and some support this Knox mobile enrollment method to automatically reinstall the MDM software after a device is factory reset.  For the systems that fully support it I even have it enrolling the device in device owner mode which is what I want all our devices to be running.  This would be a great help for any lost/stolen devices as they are forced to re-enroll in the MDM if anyone does a factory wipe on the device.  The best ones will re-enroll without first asking the user to enter credentials.  

 

I am not seeing any documentation on what settings could be used for Meraki SM to utilize the Knox mobile enrollment system so I just want to confirm there is no unsupported method anyone can point me to in order to use this method to enroll new or reset devices?  I assume the lack of documentation I could find means it's unsupported or my search kung fu ability is failing me.  The list of supported MDM solutions that Samsung support sent to me did not include Cisco but that doesn't mean much as even the Samsung Knox premium MDM doesn't support the android for work mode so their own MDM is one of the worst choices for me at the moment.

 

 

The one I have working best at the moment is Zoho manageengine mobile device manager plus.  It's 90% automated.  You just need to go into the console after the device has enrolled and booted up the first time to assign it a user profile and it then completes the android for work process.  I think I like the Meraki system better for most aspects.  Zoho is a little rough around the edges but this knox mobile enrollment feature is pushing me to choose them at the moment.

 

16 Replies 16
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know much about the Samsung Knox support, but here is some info about it:

https://documentation.meraki.com/SM/Profiles_and_Settings/Samsung_KNOX

QueBall
Here to help

Unfortunately Samsung uses the brand Knox for everything they do in the area of mobile device security.  Reminds me of the Smurfs.  

 

In this case Knox Mobile Enrollment is a distinct system for enrolling devices in a MDM system separate from the concept of the Knox container security API's built into the device.  It is separate from Knox container on device, Knox Configure, Knox Premium MDM, and likely a bunch of other stuff branded with the Knox name.

 

Like when my parents tell me their Microsoft isn't working the brand name itself isn't very meaningful unless you know the specific product name you are referring to.

PeterJames
Head in the Cloud

See [Android Enrolment].

 

Android Oreo 8.0+ introduced silent enrolment that is on-par with the Apple DEP programme. But given how new this is, I do not expect many MDM Solutions to have this implemented. This toppled with Android playing catch-up in the enterprise world it will be interesting to see how this all shapes out.

@PhilipDAth has linked the profile information I can find on this subject. I am not sure if the 'More Android' profile settings work with the 'Samsung KNOX' settings, as they appear on the same level.

 

The lack of any change control with the iOS / Apple Store is one of Apple's greatest strengths for consumers. But with a company that needs to pre-test and have a change control process in place, is a weakness for enterprise customers. However, they have recognised this and provided such introductions as 'Custom B2B Apps'. But the lack of any control over iOS updates, still need addressed. I strongly believe if you have a Apple caching server, you should be able to purchase an enterprise certificate that could allow you to delay the iOS updates for up-to 30 days.

 

Case and Point iOS11 issues.


Anyway, back to point. I am currently exploring the Android eco system and would be very interested to hear how you get on. Samsung KNOX, Android for Work and Google G-Suite have all come up on my radar.

 

Meraki Android for Work Documentation

 

Thank you,
Peter James

PeterJames
Head in the Cloud

As a side note, prior to Android Oreo 8.0. The Pixel, with Android 7.1+, was the only android device capable of matching the Apple DEP for zero-touch enrolment.

---
More Information

See [Android Zero Touch]

 

Currently only one reseller and one EOM Partner offering this functionality. Unfortunately I have noticed 'Cisco:Meraki' are not on the 'EMM Partners' list for this feature.

 

Thank you,

Peter James

QueBall
Here to help

Yes.  Android 8 should make things more generic for all manufacturers. 

 

For now this Knox mobile enrollment is restricted to Samsung devices, but it does the job especially when the latest versions of Knox are supported by the MDM in afw device owner mode you can do near zero touch.  (Ok, clicking next a few times but that's about it)

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes.  Android 8 should make things more generic for all manufacturers. 

 

Depending on weather it goes into Android Open Source, or the closed version of Android (which manufacturers have to licence).

Roska
A model citizen

Kudos to you - I would love to see this as a supported feature so that you could map your KME enrolled devices to your desired EMM, Systems Manager. I do not recall if you can choose to use multiple MDMs on KME portal side but for me there has been some frustration back in the day when Apple DEP only supported one default EMM provider. Caused issues when there where multiple service providers offering each of their own services and it used to be a manual process to assign devices to a correct EMM provider in order to finalize device end settings.

 

 

beks88
A model citizen

Would be great to see Meraki listed soon on this list with full support, KME works fine so far with few limitiations (user needs to enter network ID)

 

https://www.samsungknox.com/en/it-solutions/supported-mdm-vendors

Roska
A model citizen

Dear Meraki team, any news on KME integration/support with Systems Manager?

QBallDS
Conversationalist

@QueBall 

 

If you scan the QR code for Android 7+ Device Owner enrollment, you should get the JSON details for your installation.  I haven't tested this with our KME account yet as we haven't got any devices in there yet...

beks88
A model citizen

good point, will give it a try and report my tests here and the json code

beks88
A model citizen

I'm stuck with my ideas. I copied the .json from the QR-Code for Android 7+ DO Enrollment and tried different variations of the Key-values but it seems like the app doesn't care about the json input and ignores it completely.

 

The .json

{
	"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.meraki.sm/.DeviceAdmin",
	"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://dl.meraki.net/androidsm/AndroidSM.apk",
	"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM":"cAcR9rRugrNQtR5_ZSuIeihRBDyV5RoHlf0Cm_vQa8g",
	"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"cAcR9rRugrNQtR5_ZSuIeihRBDyV5RoHlf0Cm_vQa8g",
	"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
	{
		"enrollment_url":"https://m.meraki.com/enroll/?android_from_store=true&id=123-456-7890&pcc_enrollment_code=123-456-7890"
	}
}

 

If anyone has some more ideas, please share 🙂 

QBallDS
Conversationalist

@beks88 I managed to get it working!

 

The JSON data only needs the {"enrollment_url"...} section, see below.  I can now factory reset a device and it will auto enroll in SM and get profiles if they're assigned.  The only thing I can't do is automatically get an AFW account.

 

Edit:  Looks like I was being impatient, the AFW account provisioned itself after a few minutes of waiting when I reset a device.

 

KME-Profile.png

beks88
A model citizen

Thanks @QBallDS, took a while since the login screen appeared, but it works fine. Well done

Roska
A model citizen

Anyone with fresh KME based enrollment experiences here? Would be keen on knowing how to enchancements (multiple MDM providers on single instance, automated KME enrollment process which directs device into desired mdm) are working out. Tom Hanks

beks88
A model citizen

Google is finally supporting Samsung devices through Android Zero Touch. In this case go away from Knox Mobile Enrollment and set up with Android Zero Touch.

 

https://documentation.meraki.com/SM/Device_Enrollment/Android_Zero-Touch_Enrollment

 

I don't think Meraki will put any more effort in this, because you can set up the whole Android Enrollment through Android Zero Touch regardless the manufacturer

 

I tried different ways with KME and SM, but I keep stucking on the Enrollment Code. It wants me every time to put it in manually.

 

Best regards

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels