Device - Samsung Knoxcontents-ap.manage.samsungknox.com/onlinehelp/en/... · Note Wi-Fi Transfer...

4 4 Device

Device 94

DeviceKnox Manage supports various device enrollment methods. After successful user authentication and login to Knox Manage, the devices are automatically enrolled and registered to their user accounts on Knox Manage. Before enrolling devices, a user account must be created to register enrolled devices to it. For more information on creating user accounts, see Creating user accounts.

After devices are enrolled and registered to the specific organization and group in the Admin Portal, you can assign and apply various policies, applications, and content files to the organizations and groups. You can control the enrolled devices using device commands and view the detailed information for each enrolled device.

This chapter explains the following topics:

→ Viewing the device list

→ Viewing the device details

→ Enrolling devices

→ Managing devices

→ Managing limited enrollment

→ Checking the locations of the devices

→ Viewing device logs

Device 95

Viewing the device listNavigate to Device to view all the devices registered in the Knox Manage Admin Portal on the “Device” page. You can also perform specific functions to the selected devices among the list.

On the device list, the personalized settings of the columns will be saved. The saved settings will be retained before you delete the web browser’s cookies. You can also return the column settings to their default settings by clicking Revert Column Settings.

1

2

3

Device 96

No. Name Description

1 Search fieldSearch for devices by device name, IMEI / MEID, user name, and status. Click Advanced Search to filter by device platform & management type, enrollment type, security issue, etc.

2Function buttons

Refresh Update the list of devices.

Device Command

Send the device commands to the selected device on the device list. For more information, see Sending device commands to devices.

Check LocationOnly devices that have the Report device location policy applied can be checked. For more information, see Checking the locations of the devices.

Remote Support

Remotely control the selected device with the RS Viewer from your computer. For more information, see Remote Support.

Manage TagAdd or delete the tags of the selected devices in order to filter by specific information. Multiple tags can be also added to a device.

Update License Update the license of the selected devices on the device list.

UnenrollUnenroll the selected devices on the device list. For more information, see Unenrolling devices.

Delete Delete the selected unenrolled devices from the device list.

Bulk Add Tags Add bulk device tags using a template.

Export to CSV

Export a list of devices as a CSV file. When exporting is complete, you can download the exported list. In the header of the Knox Manage Admin Portal, click > Download > My Download, and then click Download next to the exported item.

Revert Column Settings

Resets the column settings to the default settings.

3 Device list

View brief information for the enrolled devices on the list. You can add more columns by clicking > Columns, and then clicking the checkboxes for the columns you want to add. Information of the devices, such as model number, OS version, and MAC address, can be viewed in the added columns.

Device 97

Viewing the device detailsView each device’s details by clicking a device name (or tag) to on the device list. For more information about each section of the detail page, see Detail page.

Summary area

The summary area contains the information about the selected device such as device’s status, and detailed information.

• Detail: View the detailed device’s user information. For more information about the “User Detail” page, see Viewing the device details.

• See History: View the detailed histories of the device status.

Tab: Security

The Security tab shows the device’s detailed security status.

• Detail (Knox Manage Agent Policy): View the assigned and applies policies created by Knox Manage Agent.

Tab: Device Information

The Device Information tab shows the device’s detailed information.

• Detail: Display additional device information at the bottom of the page.

Tab: Network

The Network tab shows the device’s detailed network status such as Wi-Fi and SIM information.

Note Wi-Fi Transfer Data and Network Transfer Data do not appear on Android 10 (Q) devices.

Device 98

Tab: Application

The Application tab shows the applications installed, assigned or controlled to the selected device. In the Application tab, the following tabs are additionally provided.

Application tab Description

Installed Application

View the information of the installed applications to the device. The following function buttons are available:

• Sync Installed App List: Update the installed application list.

• Install or Update: Select the application to install on the device or to update if it is already installed.

• Export to CSV: Download a list of applications as a CSV file.

Assigned Application View the information of the assigned applications to the device.

Controlled Application View the information of the controlled applications to the device.

Tab: Profile

The Profile tab shows the detailed information on the profile and policies assigned to the selected device.

Tab: Content

The Content tab shows the list of the content files assigned to the selected device.

Tab: Group / Organization

The Group / Organization tab shows the detailed information on the groups and organizations that the selected device belongs to.

• Detail (Group): Move to the “Group Detail” page for the selected group. For more information on the “Group Detail” page, see Viewing the group details.

• Detail (Organization): Move to the “Organization Detail” page for the selected organization. For more information on the “Organization Detail” page, see Viewing the organization details.

Device 99

Tab: Command History

The Command History tab shows the history of device commands sent to the selected device. You can also view the detailed information on the audit events for each device command.

• See Audit Event: View in detail the audit events that occurred while completing a device command.

The following function buttons are available:

Function button Description

Device Log Download the device logs.

Re-Request Re-request the requested device command on the list.

Function buttons in the footer

You can perform specific functions to the devices using the function buttons in the footer.

The following function buttons are available:

Function button Description

Back Return to the device list.

Audit LogView the audit log details for the selected device. For more information, see Viewing audit logs.

Delete Delete the selected device.

Manage TagAdd or delete the tags of the selected devices in order to filter by specific information. Multiple tags can be also added to a device.

Remote SupportRemotely control the selected device with the RS Viewer from your computer. For more information, see Remote Support.

Device 100

enrolling devicesSelect one of the following methods depending on the supported device type of the user’s device and the enrollment types to install the Knox Manage application on user’s devices.

Enrollment type Method Supported device type

Single enrollment

Send a Knox Manage application installation guide to users via email or SMS through the Knox Manage Admin Portal. For more information see Enrolling a single device.

All devices

Bulk enrollment

Use Knox Mobile Enrollment (KME) to enroll a large number of Samsung devices. For more information, see Using Knox Mobile Enrollment (Samsung devices only).

Samsung devices

Bulk enrollment

Use Zero Touch Enrollment (ZTE) to enroll a large number of Android Enterprise (For non-Samsung devices). For more information, see Using Zero Touch Enrollment (Android Enterprise devices only).

Android Enterprise (For non-Samsung devices)

Bulk enrollment

Use Apple’s Device Enrollment Program (DEP) to enroll a large number of iOS devices. For more information, see Using the Apple Device Enrollment Program (iOS devices only).

iOS

enrolling a single device

Send a Knox Manage application installation guide to users via email or SMS through the Knox Manage Admin Portal. Also, users can directly download the Knox Manage application and enroll their devices. For Android Enterprise (AE) devices, you can use a token or QR code to enroll the devices.

Device 101

enrolling general devices (Android Legacy, ioS and Windows)

Send a Knox Manage application installation guide to users via email or SMS through the Knox Manage Admin Portal. Also, users can directly download Knox Manage application from their public application stores.

Note Before enrolling devices, a user account must be created to register enrolled devices to it. For more information on creating user accounts, see Creating user accounts.

1. Select one of the following methods to send the Knox Manage application installation guide to users.

• Sending the Email_Agent Installation template to send QR code via email, allowing users to install the Knox Manage application on their devices. For more information, see Sending templates or user notifications to users via email.

• Sending the installation URL address or QR code via email or SMS. For more information, see Sending enrollment guides to users via email and SMS.

Also, users can directly search for the Knox Manage Agent application from their public app store and download it.

2. Install Knox Manage application by clicking the URL address or scanning the QR code depending on the request methods, and then launch the Knox Manage application on the device.

3. On the log in screen, enter a user ID and password to sign in to Knox Manage. If you log in to Knox Manage successfully, the profiles, policies and applications will be applied to the device.

Note For Android Legacy with Knox Workspace devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to install the Knox Workspace manually.

Device 102

enrolling Android enterprise (Ae) devices

Knox Manage supports the following Android Enterprise (AE) manage types. Each manage type can be enrolled differently.

Fully Managed Type(Corporate-owned)

Work area

Work Profile Type(Bring your own device)

Personal area(unmanaged)

Corporatelymanaged Work Profile

Work Profile

Fully Managed With Work Profile Type

(Corporate-owned)

Personal area(Work-managed)

Corporatelymanaged Work Profile

Work Profile

• Fully Managed type: This type allows you to control the whole corporate owned device using Knox Manage. To activate as a Fully Managed type, the device must be factory reset.

• Fully Managed with Work Profile type: This type, a combination of the Fully Managed and Work Profile types, allows you to control corporate owned devices. You can manage the device’s personal area by sending device commands while controlling business applications and data within the separate Work Profile. Users can install and use personal applications on their device’s personal area, and, in this case, Knox Manage cannot control applications installed in the personal area or their data.

• Work Profile type: This type allows you to control personal devices (BYOD). In this case, Knox Manage only manages the Work Profile, which is the work area separated from the personal area, on the device.

Device 103

enrolling as the Fully Managed type

Enroll Android Enterprise (AE) devices in the Fully Managed type to control the whole area of the device. The device should be factory reset in advance. Select one of the following methods.

Method Supported version

Use a token (afw#KnoxManage).

For more information, see Using a token.Android 6.0 (Marshmallow) or higher

Use a QR code sent via Email.

For more information see Using a QR code.Android 7.0 (Nougat) or higher

Using a token

Enter the token (afw#KnoxManage) to enroll the Android Enterprise (AE) devices in the Fully Managed or Fully Manage with Work Profile type. If the token is applied successfully, the Knox Manage app will be automatically installed on the device.

To enroll using a token, complete the following steps:

1. Turn on the factory reset device, and then on the device screen, tap START.

2. On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.

3. On the “Agree to Terms and Conditions” screen, read the terms and conditions, and then tap the checkbox next to “I have read and agree to all of the above”. Then, tap Agree. The device will check for updates and the updated will be applied.

4. On the “Sign in” screen, enter “afw#KnoxManage” in the Email or phone field, and then tap Next.

5. On the “Android Enterprise” screen, tap Install to download the Knox Manage application on the device. The Knox Manage application will be downloaded and launched automatically.

6. On the “Set up your device” screen of the Knox Manage Agent, read the privacy policy of Knox Manage and Google, and then tap Accept & continue. The Knox Manage application will launch automatically.

7. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password, and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device, the device will be enrolled as the Fully Managed or Fully Managed with Work Profile type.

Device 104

Using a QR code

Use a QR code sent via email to enroll the devices as the Fully Managed or Fully Managed with Work Profile type. For more information on sending a QR code, see Sending enrollment guides to users via email and SMS.

To enroll using a QR code, complete the following steps:

1. Turn on the factory reset device, and then, on the welcome screen, tap the screen 5 times to launch QR code enrollment. The QR Reader app will be downloaded and the device camera will launch to scan the QR code automatically.

2. Scan the QR code sent by email. The Knox Manage URL and tenant information included in the QR code will be detected.

3. On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.

4. On the “Agree to Terms and Conditions” screen, read the terms and conditions, and then tap the checkbox next to “I have read and agree to all of the above.” Then, tap Agree. The Knox Manage application will launch automatically.

5. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password, and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device, the device will be enrolled as the Fully Managed or Fully Managed with Work Profile type.

enrolling as the Fully Managed with Work Profile type

Enroll the Android Enterprise (AE) devices as the Fully Managed with Work Profile type to control the separate work and personal areas. The enrollment methods are the same as those for the Fully Managed type, but the applied profile should be set as Create Work Profile on Fully Managed. For more information, see Creating a new profile.

Note • For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to install the Work Profile manually.

• KSP policies are not applicable to the Fully Managed with Work Profile type. For devices that are enrolled as the Fully Managed type with KSP policies applied, these policies can remain even after the device type changes to the Fully Managed with Work Profile type. It is recommended to remove them manually.

Method Supported version

Use a token (afw#KnoxManage).

For more information, see Using a token.Android 6.0 (Marshmallow) or higher

Use a QR code sent via Email.

For more information see Using a QR code.Android 7.0 (Nougat) or higher

Device 105

enrolling as the Work Profile type

To enroll the Android Enterprise (AE) devices as the Work Profile type, provide an installation guide to the users to install the Knox Manage application on the devices. You can send an installation guide via email or SMS or users can download the Knox Manage application directly from their public app store.

To enroll AE devices as Work Profile devices, complete the following steps:

1. On the device screen, tap the installation URL address sent to users via email or SMS to download and install the Knox Manage application on the device.

Note You can also search for the Knox Manage application from the Google Play Store to download and install it on the AE device.

2. On the device, launch the Knox Manage application.

3. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password, and then tap SIGN IN to sign in to Knox Manage.

Note For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to install the Work Profile manually.

4. On the “Set up a work profile” screen, read the privacy policy of Knox Manage, and then tap Agree. The work applications with the briefcase badge icons, which can be managed by Knox Manage, will appear on the device.

Device 106

Using Knox Mobile enrollment (Samsung devices only)

Samsung Knox Mobile Enrollment (KME) allows you to quickly and easily enroll a large number of corporate-owned Samsung devices. The devices are automatically enrolled when users connect to the internet and log in to Knox Manage. Even if you reset the devices enrolled by the KME program, the Knox Manage application is re-installed automatically and the devices are re-enrolled in to Knox Manage.

The KME program provides the following advantages:

• Enroll a large number of devices in bulk without having to manually enroll each device.

• Allow the KME devices to automatically install the Knox Manage application when the KME devices are reset.

To enroll devices using the KME program, the following procedures must be performed.

Log in to the KME portal. Create MDM profiles.Register devices to KME

through Knox Reseller Portalor Knox Deployment App.

Assign MDM profilesto the KME devices.

Log in to Knox Manage for enrollment.

Note For more information about the KME program, refer to the KME Admin Guide (https://docs.samsungknox.com/KME-Getting-Started/Content/about-kme.htm).

https://docs.samsungknox.com/KME-Getting-Started/Content/about-kme.htm

https://docs.samsungknox.com/KME-Getting-Started/Content/about-kme.htm

Device 107

Before using Knox Mobile enrollment

To use Knox Mobile Enrollment (KME) properly, the followings must be prepared:

• See the list of available countries at the Samsung Knox website and check if the KME program is available in your country.

• Prepare a device from the following carrier or reseller to use the KME program:

– A distributor approved by the KME program

– A dealer sharing IMEI or serial numbers directly with the Samsung representative

• Make sure the devices are Samsung Galaxy devices with Knox 2.4 or higher.

• Sign up for an account in the Samsung Knox Web Portal.

• To install Knox Manage, devices must have more than 50% of their battery charged.

• Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.

Logging in to the Knox Mobile enrollment Portal

To use Knox Mobile Enrollment (KME), you should log in to the Knox Mobile Enrollment Portal.

To log in to the Knox Mobile Enrollment Portal, complete the following steps:

1. Visit the Knox Portal at https://www.samsungknox.com, and click Sign in in the upper right-corner of the screen.

2. Enter a Samsung account ID and password, and then click SIGN IN.

3. On the main Knox Portal page, navigate to SOLUTIONS > Knox Mobile Enrollment.

4. On the Knox Mobile Enrollment page, click Get Started.

5. Enter a work email address and click APPLY FOR FREE. If the application is approved, you will receive a welcome email with instructions on Knox Mobile Enrollment (KME).

6. On the My Knox solutions page, click LAUNCH CONSOLE on Knox Mobile Enrollment.

https://www.android.com/enterprise/

https://www.samsungknox.com

Device 108

Creating MDM profiles

Before enrolling devices, create MDM profiles for Android (Legacy) and Android Enterprise through the Knox Mobile Enrollment Portal.

Knox Manage supports two types of KME enrollments for MDM profiles: Android (Legacy) and Android Enterprise:

Profile type Targeted device Description

Device Admin Android LegacyCreate this profile for the legacy method of managing devices.

Device Owner Android EnterpriseCreate this profile for fully managed or dedicated devices.

Creating MDM profiles for Android Legacy devices

To create MDM profiles for the Device Admin profile type, complete the following steps:

1. On the Knox Mobile Enrollment Portal, navigate to MDM Profiles.

2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.

3. On the “Select profile type” page, click DEVICE ADMIN.

4. On the “Device Admin profile details” page, enter the following basic information

• Profile Name: Enter an appropriate profile name to distinguish it from others with similar attributes. Special characters are not permitted.

• Description: Enter a profile description (200 characters maximum) to further differentiate this profile from others.

• MDM Server URI: Enter the Knox Manage server for the relevant regions as stated in the following table:

Region Domain

Asia https://ap01.manage.samsungknox.com

US https://us01.manage.samsungknox.com

EU https://eu01.manage.samsungknox.com

Depending on the tenant, you may have to change the domain URI. Refer to your prefix server address of the Knox Manage Admin Portal, and then enter that value in the MDM Server URI. For example, if your server address is https://ap02.manage.samsungknox.com/emm/admin/login.do, your MDM Server URI should be https://ap02.manage.samsungknox.com

Note Once you have created an MDM profile, you cannot change the MDM server URI.

https://ap01.manage.samsungknox.com

https://us01.manage.samsungknox.com

https://eu01.manage.samsungknox.com

Device 109

• Server URI is not required for my MDM: Select this option if you either do not need to point to the MDM’s enterprise installation or are unable due to connection restraints.

5. Click CONTINUE.

6. On the “Device Admin profile settings” page, set the following MDM configuration settings.

• MDM Agent APK: Click ADD MDM APPS and enter the Knox Manage APK link information stated in the following table, and then click SAVE. The application will be automatically installed on the device when it connects to the internet.

Region Domain

Asia http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk

US http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk

EU http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk

• Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId and TenantType in the java script object notation (JSON) format, as in {”TenantId”:”YOUR_TENANT”, ”TenantType”:”M”}.TenantId refers to the name of your Knox Manage company account. It occurs after @ in your Knox Manage Username. For example, your JSON data entry may be used as follows: {”TenantId”:”knoxteam.samsung.com”, ”TenantType”:”M”}. For more information about JSON and related technology, go to http://json.org.

7. Set the following device settings.

• Enrollment settings: Select the additional enrollment setting options.

Note The Skip Setup Wizard option performs independently from the Allow end user to cancel enrollment, and both options can be enabled at the same time.

– Skip Setup Wizard: Skips the setup wizard screen and allows you to start the enrollment process much faster.

Note This option is not currently available on all AT&T devices.

– Allow the end user to cancel enrollment: Permits end-users to cancel enrollment on their devices.

• Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the specific privacy policy text displayed to device users based on their geographic region.

• ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.

• Support contact details: View the support contact details.

http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk

http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk

http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk

http://json.org

http://json.org

Device 110

• EDIT: Update the company name, company address, support phone number, and support email address displayed on the devices after successful enrollment. If required, click Save as default support contact details to use this same information as the default contact information.

Note If the device owner (DO) support is enabled for the profile, then only the client name is editable, and the remaining fields are inactive.

• Associate a Knox license with this profile: Pass the Knox license key directly to the intended device for easier Knox profile configuration.

8. Click CREATE to create the device admin supported profile configuration for Android (Legacy). To view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.

Creating MDM profiles for Android enterprise devices

To create MDM profiles for the Device Owner profile type, complete the following steps:


2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.

3. On the “Select profile type” page, click DEVICE OWNER.

4. On the “Device Owner profile details” page, enter the following basic information for the device owner profile.

• Profile Name: Enter an appropriate profile name to distinguish it from others with similar attributes. Special characters are not permitted.

• Description: Enter a profile description (200 characters maximum) to further differentiate this profile from others.

5. Enter the following MDM information for the device owner profile.

• Pick your MDM: Select the specific Knox Manage MDM profile assigned the device owner privilege.

• MDM Agent APK: Enter the Knox Manage APK link information stated in the following table. The application will be automatically installed on the device when it is connected to the internet.

Region Domain

Asia http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk

US http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk

EU http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk

http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk

http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk

http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk

Device 111

• MDM Server URI: enter the Knox Manage server for the applicable region as stated in the following table:

Region Domain

Asia https://ap01.manage.samsungknox.com

US https://us01.manage.samsungknox.com

EU https://eu01.manage.samsungknox.com

Depending on a tenant, you may have to change a domain URI. Refer to your prefix server address of the Knox Manage Admin Portal, and then enter that value in the MDM Server URI. For example, if your server address is https://ap02.manage.samsungknox.com/emm/admin/login.do, your MDM Server URI should be https://ap02.manage.samsungknox.com

Note Once you have created a MDM profile, you cannot change the MDM server URI.

6. Click CONTINUE.

7. On the “Device Owner profile settings” page, set the following MDM configuration settings.

• Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId and TenantType in the java script object notation (JSON) format, as in {”TenantId”:”YOUR_TENANT”, ”TenantType”:”M”}.TenantId refers to the name of your Knox Manage company account. It occurs after @ in your Knox Manage Username. For example, your JSON data entry may be used as follows: {”TenantId”:”knoxteam.samsung.com”, ”TenantType”:”M”}. For more information about JSON and related technology, go to http://json.org.

• Dual DAR: Secures the KME enrollment data with two layers of encryption, even when the device is powered off or in an unauthenticated state.

Note The Dual DAR function is only supported on devices running Knox version 3.4 or higher.

– Enable Dual DAR: Enable the Dual DAR function. If the Dual DAR function is enabled, click the checkbox next to Use3rd party crypto app and click ADD PACKAGE NAME AND SIGNATURE to enter the package name and signature for using the 3rd part crypto app.

8. Set the following devices settings.

• System apps: Select the system application settings.– Disable system applications: Disable all applications to the device owner supported profile.– Leave all system applications enabled: Enable all applications on the device owner

supported profile. If this option is not selected, only the default applications and the Knox Manage application are installed on the user devices.

https://ap01.manage.samsungknox.com

https://us01.manage.samsungknox.com

https://eu01.manage.samsungknox.com

http://json.org

http://json.org

Device 112

• Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the specific privacy policy text displayed to devices users based on their geographic region.– ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.

• Company name: Enter the MDM organization name displayed at the time of device enrollment.

9. Click CREATE to create a device owner supported profile configuration for Android Enterprise. To view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.

Modifying MDM profiles

To modify an MDM profile, complete the following steps:


2. On the profile list, click the checkbox next to the profile name to modify its information.

3. Modify the selected profile information, and then click SAVE.

Note Once you have created an MDM profile, you cannot change the MDM server URI.

Registering devices to the Knox Mobile enrollment Portal

Depending on the device purchase type, you can register devices to the Knox Mobile Enrollment Portal using the following methods

• Knox Reseller Portal: For devices purchased from approved Samsung resellers

• Samsung Knox Deployment App (NFC tagging): For devices purchased from third-party resellers, or for the purpose of testing

For devices purchased from approved Samsung resellers

If the devices were purchased from approved Samsung resellers, you can register the devices to the Knox Mobile Enrollment Portal using the Knox Reseller Portal. For more information on using the Knox Reseller Portal and how to register devices, see the Knox Reseller Portal Admin Guide (https://docs.samsungknox.com/samsung-reseller-guide/Content/manage-devices.htm) and follow the instructions.

After the devices are registered successfully, on the Knox Mobile Enrollment Portal, navigate to Devices > UPLOADS to view the registered device information with the reseller’s information including the registration date and the number of devices, IMEI information, and applied profiles.

For devices purchased from third-party resellers

To register devices purchased from third-party resellers or for the purpose of testing to the Knox Mobile Enrollment Portal using the Samsung Knox Deployment app through NFC tagging, complete the following steps:

Device 113

Note The user information must be registered in the Knox Mobile Enrollment Portal to register the devices. For more information on how to add device users, see Adding new device users.

1. Download the “Samsung Knox Deployment” app from the Google Play Store on your device and install it.

2. Run the “Samsung Knox Deployment” app on your device.

3. On the login screen, enter your Knox Mobile Enrollment Portal user ID and password, and then tap SIGN IN.

4. Tap ENROLL VIA NFC.

Note The NFC mode on your device must be turned on for NFC tagging.

5. On the “Get started” screen, tap START.

6. Select a desired MDM profile to apply, and then tap NEXT.

7. Tag the user device to your device. To view the information of the registered devices on the Knox Mobile Enrollment Portal, navigate to Devices > UPLOADS.

Assigning MDM profiles and user credentials

After the devices are registered in the Knox Mobile Enrollment Portal, assign the MDM profiles and user credentials to the registered devices. You can assign them to the registered devices either individually or in bulk using a CSV file.

Individual Assignment

To assign MDM profiles and user credential to a registered device individually, complete the following steps:

1. On the Knox Mobile Enrollment Portal, navigate to Devices.

2. At the top of the “Devices” page, click the ALL DEVICES tab.

3. On the device list, click the checkboxes next to IMEI information to assign an MDM profile and user credential to them. Alternately, you can also click the checkboxes next to IMEI information, and then click ACTIONS > Configure devices.

Note The device windows appear differently depending on how many devices on the list you select.

Device 114

4. On the “Device Details” or “Configure selected devices” window, enter the following device information.

• “Device Details” window (When configuring a single selected device)– MDM Profiles: Select the desired MDM profile from the drop-down list to assign it to the

selected device.– Tags: Enter a tag to use when searching for specific devices.– User ID: Modify the Knox Manage user ID.– Password: Modify the Knox Manage user password.

• “Configure selected devices” window (When configuring two or more selected devices)– Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-

down list to assign to the selected device.– Add tags to selected devices: Enter a tag to use when searching for specific devices. Click

the checkbox next to Overwrite existing tags if you want to use the newly entered tag to overwrite existing tags.

– User credentials: Select one of the following options for the user credentials of devices from the drop-down list.– Keep current credentials: Maintain the existing user credential information for the

selected devices.– Clear user credentials: Remove the existing user credential information for the selected

devices.– Overwrite user credentials: Modify the user ID and password.

5. Click SAVE to save the modified device details. The device status changes to Profile assigned. To update the device status, click .

Bulk Assignment

You can assign the MDM profiles and user credentials for up to 10,000 registered devices at once.

To assign MDM profiles and user credential to a registered device individually, complete the following steps:


2. On the “Devices” page, click ALL DEVICES > ACTIONS > Download devices as CSV at the bottom of the page to download the kme_devices.csv file.

3. Open the downloaded CSV file and enter the information in the columns of the Excel file, and then save the file as a .csv file.

4. At the left bottom of the Knox Mobile Enrollment Portal, click BULK ACTIONS.

5. On the “Bulk actions” page, click View instructions in the BULK CONFIGURE section to read the instructions to ensure the CSV file is completely filled out, and the click GOT IT.

6. On the “Bulk configure” page, click BROWSE, and then select the saved .csv file.

Device 115

7. In the “(Optional) Configure profiles and tags” area, enter the following information.

• Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-down list to assign it to the selected devices.

• Tags: Enter a tag to use when searching for specific devices. Click the checkbox next to Overwrite existing tags if you want to use the newly entered tag to overwrite existing tags.

8. Click SUBMIT. To view the bulk-added information, navigate to Devices > ALL DEVICES.

Adding new device users

You can add a new device user to the list of existing users.

To add a new device user, complete the following steps:

1. On the Knox Mobile Enrollment Portal, navigate to Device Users.

2. On the “Device Users” page, click ADD DEVICE USERS to add a new device user.

3. On the “Add device user” window, enter a user ID and password to create unique KME device user credentials.

Note The user ID and password should both be the credentials of the Knox Manage.

4. Click ADD to add new device user.

Unenrolling KMe devices

To disable the use of KME devices, you must unenroll them in the Knox Manage Admin Portal, and then delete them in the Knox Mobile Enrollment Portal. For more information about how to unenroll enrolled devices in the Knox Manage Portal, see Unenrolling devices.

To delete the KME devices, complete the following steps:


2. On the “Devices” page, click the ALL DEVICES tab.

3. On the device list, click the checkboxes next to the IMEI information to delete the registered device, click ACTIONS > Delete devices.

4. In the “Delete devices” window, click DELETE. The selected devices will be deleted from the KME Portal.

Note Once a device is deleted from the KME Portal, the device is permanently removed from the system.

Device 116

Using Zero touch enrollment (Android enterprise devices only)

Zero Touch Enrollment (ZTE) allows you to quickly and easily enroll a large number of corporate-owned Android Enterprise devices for non-Samsung devices. Once the devices are registered to the ZTE Portal, the devices are automatically enrolled when users connect to the Internet and log in to Knox Manage. Even if you reset the devices enrolled by ZTE, the Knox Manage application is reinstalled automatically and the devices are re-enrolled in to Knox Manage.

ZTE provides the following advantages:

• Enrolls a large number of devices in bulk without having to manually enroll each device.

• Allows the ZTE devices to automatically install the Knox Manage application when the ZTE devices are reset.

• Prevents unauthorized devices from joining your EMM environment to enhance your security.

• Allows resellers to add devices to the ZTE Portal.

To enroll devices using ZTE, the following procedures must be performed.

Log in to the Zero Touch Enrollment

Portal.

Create Knox Manage configurations

Assign Knox Manage configurations

to ZTE devices.

Log in to Knox Manage for enrollment.

Note For more information about ZTE, refer to the https://www.android.com/enterprise/management/zero-touch/#partners.

Before using Zero touch enrollment (Zte)

To use Zero Touch Enrollment (ZTE) properly, the following must be prepared:

• Make sure that the devices are compatible with ZTE from the list of Android Zero Touch Devices at https://androidenterprisepartners.withgoogle.com/devices/#!#Zero-touch.

• Prepare a device from the following carrier or reseller to use ZTE:

– Zero touch reseller partner

– Google partner and not from a consumer store.

Device 117

• Make sure the devices are running on Android Oreo (8.0 and later) or a Pixel phone with Android Nougat (7.0).

• Sign up for a Google account associated with the corporate email. A personal Gmail account cannot be used. To create a Google account for the corporate, visit the Google website at https://accounts.google.com/signup/v2/webcreateaccount?flowName=GlifWebSignIn&flowEntry=SignUp&nogm=true.

• Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.

Logging in to the Zero touch enrollment (Zte) Portal

You can log in to the Zero Touch Enrollment (ZTE) Portal using the Google account with the corporate email.

To log in the ZTE Portal, complete the following steps:

1. Visit the ZTE Portal at https://partner.android.com/zerotouch.

2. Enter your Google account information and then click NEXT to log in to the ZTE Portal. Once you have logged in to the ZTE Portal, the following navigation pages are provided on the ZTE Portal.

• Configurations: Create, modify, and delete Knox Manage configurations.

• Devices: Displays the registered device list. You can assign also apply the created Knox Manage configurations to the selected devices on the list.

• Users: Add, modify, or delete the users who can access and manage the portal.

• Resellers: Add resellers to share your account with multiple resellers.

Creating Knox Manage configurations

To create Knox Manage configurations, complete the following steps:

1. On the Zero Touch Enrollment (ZTE) Portal, navigate to Configurations.

2. On the “Configurations” page, click .

3. In the “Add a new configuration” window, enter the following information.

• Configuration name: Enter a configuration name.

• EMM DPC: Select Samsung Knox Manage from the EMM DPC dropdown list.

• DPC extras: Enter the JSON data (Samsung Knox Manage DPC extras) as follows.

Device 118

{ “android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED”:true, “android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE”: { “ServerUrl”: “Your Server Url”, “TenantId”: “Your Knox Manage Tenant ID”, “TenantType”: “M”, “Method”: “ZeroTouch” }}

Note Enter the server URL of the DPC extras for the applicable region as stated in the following table:

Region Domain

Asia https://ap01.manage.samsungknox.com/emm

Asia (India only) https://ap02.manage.samsungknox.com/emm

US https://us01.manage.samsungknox.com/emm

EU https://eu01.manage.samsungknox.com/emm

• Company Name: Enter the name of your organization. It will be displayed on the user’s device during enrollment.

• Support email address: Enter a corporate IT admin email address. It will be displayed on the user’s device during enrollment, and it can be used to contact the IT admin in case of any enrollment issues.

• Support phone number: Enter a corporate IT support phone number. It will be displayed on the user’s device during enrollment, and it can be used to contact the IT admin in case of any enrollment issues.

• Custom message: Enter an optional message to be displayed on the device screen during enrollment.

4. Click Add to create a new Knox Manage configuration.

https://ap01.manage.samsungknox.com/emm

https://ap02.manage.samsungknox.com/emm

https://us01.manage.samsungknox.com/emm

https://eu01.manage.samsungknox.com/emm

Device 119

Assigning Knox Manage configurations to Zte devices

Once Zero touch reseller partners have registered devices in the Zero Touch Enrollment (ZTE) Portal, assign the newly created Knox Manage configurations to the devices. You can assign them to the registered devices either individually or in bulk using a CSV file.

Individual Assignment

To assign a Knox Manage configuration to a device individually, complete the following steps:

1. On the Zero Touch Enrollment (ZTE) Portal, navigate to Devices.

2. On the “Devices” page, select the devices to which configurations are to be applied to on the device list, and then, under Configuration, against the selected devices, the Knox Manage configuration which you have created previously.

Bulk Assignment

To assign Knox Manage configurations to multiple devices at once using a CSV file, complete the following steps:


2. On the “Devices” page, click > Download results as .csv to download the CSV file, and then enter the device information in the CSV file.

• Open the CSV file and fill out the following fields in the file.

Field Example Description

modemtype IMEIThis field should be always set as IMEI in uppercase characters.

modemid 123456789012347 Enter the IMEI number of the device.

serial ABcd1235678 Enter the serial number of the device.

model VM1A Enter the model name of the device.

manufacturer Google Enter the name of the device manufacturer.

Profiletype ZERO_TOUCHThis field should always be set as ZERO_TOUCH in uppercase characters.

Profileid 54321

Enter the numeric ID of the configuration you want to apply to the device. To see the configuration ID, check the table's ID column on the “Configurations” page. To remove the device from zero-touch enrollment, enter 0 (zero).

3. On the “Devices” page, click > Upload batch configurations, and then select the saved .csv file to upload it. All the devices in the CSV file will be assigned to the specific Knox Manage configuration.

Device 120

Logging in to Knox Manage for enrollment

After the Knox Manage configuration is assigned to ZTE devices, log in to Knox Manage to enroll the devices.

To log in to Knox Manage for enrollment, complete the following steps:

1. Turn on the factory-reset device, and then tap Start on the Zero Touch Device Enrollment screen.

2. On the “Connect to mobile network” screen, insert a sim card or tap Skip.

3. On the “Connect to mobile network” screen, tap an available Wi-Fi network to connect to a network. The device will check for updates.

4. On the “Set up your device” screen, read the privacy policy of Knox Manage and Google, and then tap Accept & continue. The device will get account information for Knox Manage.

5. On the “Google Services” screen, tap Accept. The Knox Manage application will be installed and launched automatically on the device.

6. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password, and then tap SIGN IN to sign in to Knox Manage.

7. On the Knox Manage terms and agreements screen, read the terms of use, privacy policy, and end-user license agreement, tap the checkbox next to Agree all, and then tap NEXT.

8. On the “Display over other apps” page, if required, tap All display over other. The device will be registered and enrolled in the Knox Manage Admin Portal.

Deleting Zte devices from the Zero touch enrollment (Zte) Portal

You can delete devices from the ZTE Portal if you are required to transfer ownership. You can delete one device at a time by selecting devices in the ZTE Portal.

To delete devices from the ZTE Portal, complete the following steps:

Note After you delete a device, you need to contact your reseller if you want to register the device in the ZTE Portal again. Consider removing the Knox Manage configuration, if you want to temporarily exclude a device from the ZTE Portal.


2. On the “Devices” page, select the device you want to remove, and then click DEREGISTER.

3. In the “Deregister device?” window, click DEREGISTER to delete the devices from the ZTE Portal.

Device 121

Using the Apple Device enrollment Program (ioS devices only)

The Apple Device Enrollment Program (DEP) allows you to quickly and easily enroll a large number of organization-owned Apple devices. Devices added by DEP will be enrolled automatically without user intervention with the configured device management profiles.

Note Apple has announced a new consolidated platform, Apple Business Manager. Please visit https://support.apple.com/business and find out more about the way to upgrade from DEP.

To enroll devices using DEP, the following procedures must be performed.

Issuing a DEP tokenissued by Apple.

Registering iOS devices to the Apple Business

Manager website.

Setting DEP profiles.Log in to Knox Manage for enrollment.

Before using the Apple Device enrollment Program

To use the Apple Device Enrollment Program (DEP) properly, the followings must be prepared:

• Prepare a device from an Apple store, Apple theorized reseller, or carrier.

• Make sure the devices are iOS 9.0 or later.

• Register for an Apple Business account in Apple Business Manager or upgrade from DEP. To find out more about upgrading from DEP to ABM, visit https://support.apple.com/en-us/HT208817.

https://support.apple.com/business

https://support.apple.com/business

https://support.apple.com/en-us/HT208817

Device 122

Issuing a DeP token

To use Apple Device Enrollment Program (DEP), you must request for a DEP token issued by Apple through a public key, and then set up DEP in the Knox Manage Admin Portal.

To issue a DEP token and set up DEP, complete the following steps:

1. Navigate to Setting > iOS > DEP Server Setting. If you have issued a DEP token before, the previously issued DEP token’s information and its expiration date are displayed.

2. On the “DEP Server Setting” page, click Download Public Key to download a public key in the .pem format required to create a new MDM server in the Apple DEP Portal.

3. Visit the Apple Business Manager website at https://business.apple.com.

4. Sign in using your Apple Business account, and then enter the 6-digit verification code sent to the mobile device registered to your Apple ID.

• The start window of the ABM site will appear.

5. On the Apple Business Manager website, navigate to Settings > Device Management Settings at the bottom of the site, and then click Add MDM Server on the right of the screen.

6. Configure the MDM server settings, upload the public key file in the .pem format downloaded from the Knox Manage Admin Portal, and then click Save.

7. Click Download Token on the right of the screen and download the Apple token file in the .p7m format on to the computer.

Note Using a single token to enroll the DEP devices for one company is recommended.

8. On the “DEP Server Setting” page of the Knox Manage Admin Portal, click Upload DEP Token and then select the DEP token file with .p7m format downloaded from ABM.

9. Click OK. If the DEP token file is uploaded successfully, the authentication processes between the Knox Manage server and the Apple’s DEP server is completed.

10. Click Set Default Profile to set up a profile to be assigned to the DEP devices by default, and then click OK.

Note For more information on setting a general profile, see Setting DEP profiles.

11. Click Set DEP Device Sync Interval to set the sync interval of DEP devices.

Device 123

Registering DeP devices

After the Device Enrollment Program (DEP) server is all set up, register iOS devices with the MDM server in the Apple Business Manager website.

To register iOS devices in the Apple Business Manager website, complete the following steps:

1. Visit the Apple Business Manager website at https://business.apple.com, and then enter your Apple ID and password to log in.

2. On the Apple Business Manager website, navigate to Device Assignments to assign iOS devices to the MDM server you have already created.

3. Select the method for registering iOS devices from Choose Devices:

• Assign Device by Serial Number: Enter a list of device serial numbers to register the iOS device.

• Assign Devices by Order Number: Enter the Apple Purchase Order number so that the devices are added automatically.

• Upload a .csv File: Upload a .csv file that includes the serial numbers.

4. Select Assign to Server as Action, and then select the MDM server group.

5. Click Done. If the iOS devices are registered successfully in the Apple DEP, navigate to View Assignment History to view the registered device information and its assignment history.

Device 124

Setting DeP profiles

After the iOS devices are registered to the Apple Business Manager website, you must set the DEP profile to be assigned to the devices through the Knox Manage Admin Portal.

The DEP profile is applied to the DEP devices when the DEP devices are enrolled.

To set a DEP profile, complete the following steps:

1. Navigate to Setting > iOS > DEP Server Setting.

2. On the “DEP Server Setting” page, click Set DEP Default Profile.

3. On the “Set DEP profile” window, set the following items in the DEP profile:

• Supervised Mode: Click the checkbox next to Apply to enable the supervised mode that is only available on iOS devices and must be applied to the DEP devices.– Delete MDM profile: Click the checkbox next to Allow to allow users to delete the MDM

profile.– Supervising host certificate list: Click Add to add the registered certificate to the Apple

device you want to pair with the DEP devices.

• Pairing: Click to allow other Apple devices to pair with the DEP devices.

• Skip Settings: Select the items that appear during the device setup process after users turn on their DEP devices for the first time. If the items are checked, they do not appear on the window.

4. Click Save to save the set DEP profile.

Assigning users to DeP devices

After the DEP devices are enrolled, you can assign users to them.

To assign users, complete the following steps:

1. Navigate to Setting > iOS > DEP Device Management.

2. On the “DEP Device Management” page, click the checkbox for a device you want to assign the user to.

3. Click Assign User.

• Click Unassign User to remove the user assignment from the device. The device must be unenrolled before unassigning the user.

4. On the “Select User” window, click the user you want to assign to the device, and then click OK. After the user is successfully assigned, you can send device commands just as you would with other devices controlled by Knox Manage.

Device 125

Managing DeP devices

In the Knox Manage Portal, the DEP devices registered in the Apple Device Enrollment Program (DEP) are managed. You can synchronize with the DEP server in the Apple Business Manager website to update the DEP device list in the Knox Manage Portal, modify and assign DEP profiles, and control DEP devices.

Viewing the DeP device details

To view the DEP device details in the Knox Manage Portal, complete the following steps:


2. On the “DEP Device Management” page, click the serial number of the desired DEP device on the list to view its details.

3. In the “Device Detail” window, view the selected DEP device information.

Synchronizing with the DeP server

To synchronize with the DEP server and the Apple Business Manager website to update the DEP device list in the Knox Manage Portal, complete the following steps:


2. On the “DEP Device Management” page, click Sync DEP to synchronize with the DEP server.

3. On the “DEP device sync” window, click OK. The DEP device list in the Knox Manage Portal will be updated.

Note If the server token has expired, you can no longer update the DEP device list.

Modifying and assigning the DeP profiles

To modify and assign DEP profiles to DEP devices, complete the following steps:


2. On the “DEP Device Management” page, click the checkboxes next to the DEP devices on the DEP device list, and then click Set DEP profile to modify the DEP profile.

3. On the “Set DEP profile” window, modify the desired DEP profile items, and then click Save to save the set DEP profile and return to the “DEP Device Management” page. For more information on setting the DEP profiles, see Setting DEP profiles.

4. Click Sync DEP to synchronize with the DEP server to update the DEP device list. The modified DEP profile will be assigned to the DEP devices.

Device 126

Unenrolling DeP devices

If you want to use DEP devices as general iOS devices or if the DEP devices are no longer required, you can unenroll the DEP devices in the Apple Business Manager website.

To unenroll DEP devices, complete the following steps:

1. Visit the Apple Business Manager website at https://business.apple.com, and then enter your Apple ID and password to log in.

2. On the Apple Business Manager website, navigate to Settings > MDM Servers.

3. On the “Server Details” page, click an MDM server to disable and delete it, and then click Edit > Delete MDM Server.

4. In the popup window, click OK. All the DEP devices on the MDM server will be deleted.

Note To delete the MDM server and relocate the DEP devices on this server, select Reassign Devices from the drop-down list. Then, select a different MDM server where you want to relocate the MDM devices to and click Delete.

5. On the Knox Manage Portal, Navigate to Setting > iOS > DEP Device Management.

6. On the “DEP Device Management” page, click Sync DEP to synchronize with the DEP server.

7. In the “DEP device sync” window, click OK. The DEP device list in the Knox Manage Portal will be updated according to the DEP server, and the DEP devices on the DEP server in the Knox Manage Portal will be deleted.

Device 127

Managing devicesYou can change the device’s status or send device commands to manage the devices registered in Knox Manage.

Unenrolling devices

You can unenroll the devices registered in the Knox Manage server. The methods for unenrollment differ depending on the device type.

To delete the Work Profile from Android Enterprise devices or delete Knox Manage from Fully managed devices, send the Unenroll service command to devices.

Note When you unenroll Fully Managed or the Fully Managed with Work Profile devices, the devices will be factory reset and the microSD cards of the devices with Android 7.0 (Nougat) - 8.0 (Oreo) can be wiped. Please be cautious of potential data loss.

To simply change a logged in user’s details, send the Delete account command, and then allow the user to log in again.

Unenrolling connected devices

To unenroll devices that are connected to the server, complete the following steps:

1. Navigate to Device.

2. On the “Device” page, click a checkbox for a device you want to unenroll.

3. Click Unenroll.

4. In the “Unenroll Device” window, click OK.

Device 128

Unenrolling disconnected devices

When a device is unable to communicate with the server, you can send an offline unenrollment code to the device. Then, the user can change the device’s status manually and unenroll the device.

To unenroll devices that are offline, complete the following steps:


2. On the “Device” page, click a checkbox for a device you want to unenroll.

3. Click Unenroll.

4. In the “Unenroll Device” window, check the Offline Unenrollment Code.

5. Click Force Unenroll.

• The unenrollment device command will be sent to the device.

6. Inform users of the use of the offline unenrollment code from step 4.

• When the user enters the received offline unenrollment code, the device will become unenrolled, corresponding to its status on the server.

Note You can choose to delete the internal applications installed on Android devices and all of the applications installed on devices with iOS 9.0 or above upon unenrollment.

To set automatic deletion, navigate to Setting > Configuration > Basic Configuration > Device, and then set Delete App upon Unenrollment to Yes.

Allowing the users to unenroll their devices

If a device is connected to a network and can establish communication with the server, then users can unenroll the devices by uninstalling the agent.

To allow the user to uninstall the agent, complete the following steps:

1. Navigate to Setting > Knox Manage Agent Policy.

2. On the “Knox Manage Agent Policy” page, click the ”Default” tab.

• You can also add more agent policy sets by clicking .

3. Set the Allow Unenroll Request policy to Allow.

4. Click Save & Apply.

Device 129

Sending device commands to devices

You can send device commands to enrolled devices by user, organization, group, or device and control them remotely. For devices with Knox Workspace or Work Profile, you can select the tab of the area on the top you want to send a device command to. Available device commands vary depending on the device type. For more information on each device command, see the list of device commands.

Note In general, device commands take a higher priority than profile policies. However, policies take a higher priority than the following device commands: Install, Run, Uninstall, Locate the current position, and Reset SD Card. For more information, see the list of device commands.

To send device commands, complete the following steps:


2. On the “Device” page, click the checkbox next to the device name to send a device command to, and then click Device Command.

3. In the “Device Command” window, select the desired device command.

• For devices that have a Knox Workspace, click the target area between General and KNOX - LightWeight Knox.

• For Fully Managed with Work Profile devices, click a target area between Fully Managed Device and Work Profile.

4. In the “Request Command” window, click OK.

Checking device commands in request

Check device commands that have not been sent successfully due to network or system issues. You can resend the device commands in request or delete them individually or altogether. You can also download all device commands in queue as an Excel file.

Note If no device command has been sent within the past six hours of restarting the device, then Knox Manage Agent requests the server for a device command and can have it resent to the device.

Device 130

To check the device commands in request and resend or delete them individually or altogether, complete the following steps:

1. Navigate to History > Device Command in Request.

2. Enter a request date, and user ID or mobile ID, and then click Search.

3. View the information of the device commands that have been found.

• To resend the device commands in request, click the checkboxes of the device commands to resend, and then click Re-Request.

• To delete the device commands in request, click the checkboxes of the device commands to delete, and then click Cancel Request.

Note To set the Knox Manage server to resend the device commands in request automatically, navigate to Setting > Configuration > Basic Configuration, and then set the number next to Daily retries for device commands in request.

Viewing device command history

You can view the device command history and related audit logs by date. You can also view the details about the results of device commands, and collect the device control audit logs for each event. For more information about audit log items, see Viewing audit logs.

To view the device command history, complete the following steps:


2. On the “Device” page, click a device name or a tag.

3. On the “Devices Detail” page, click the “Command History” tab.

4. Click a command name to view the audit result of the device command.

Note To view the device command logs by each platform, navigate to History > Group Command History, enter a request date and a group ID or organization name, click Search, and then click a group or organization name.

Device 131

List of device commands: Android enterprise

The available device commands vary depending on the Android Enterprise manage types. For Fully Managed with Work Profile devices, you can select either Fully Managed or Work Profile to send device commands to.

Device

Device command Description

Apply Latest ProfilesSends the latest profile and application information to the device and controls the device with the profile and information.

Enable EAS (Samsung Email App Only)

Allows using Exchange ActiveSync for Samsung Email application.

Disable EAS (Samsung Email App Only)

Disallows using Exchange ActiveSync for Samsung Email application.

Lock Device

Locks a device. You can enter a reason for locking the device and a phone number to contact when the device is lost. The entered information appears on the locked device screen.

Note For non-Samsung Android devices, this policy supports only the devices with Android 8.0 (Oreo) and lower.

Unlock Device

Unlocks a device.

Note For non-Samsung Android devices, this policy supports only the devices with Android 8.0 (Oreo) and lower.

Lock ScreenLocks the device screen. If the device's screen is password-locked, then the user needs to enter the password to access the screen again.

Factory Reset

Performs factory reset and changes the device status to Unenrolled.

• Initialize SD Card when factory reset: Click the checkbox to initialize the SD card during a factory reset.

• Deactivate Factory Reset Protection: This only appears when the profile is applied with the Factory Reset Protection policy or when you send a device command to multiple devices. Click the checkbox to perform a factory reset without the Factory Reset Protection policy.

Power Off Device

Turns off the device.

Note Only Samsung Galaxy devices are supported except the devices with Android 10 (Q).

Reboot Device Reboots the device.

Device 132


Reset Screen Password

Resets the device’s screen lock password and creates a temporary password. After sending the device command, the temporary password that can be found on the device’s detailed information page will be delivered to the user. For more information, see the screen lock password in Viewing the device details.

Reset SD Card

Initializes the external SD card of the device.

Note For devices whose External SD Card policy is set to Disallowed in the profile, you cannot reset the SD card using the device command, because the policy takes a higher priority than the device command.

Reset Data Usage

Resets data usage among the Android device's inventory information.

• Wi-Fi transfer data (in/out)

• Network transfer data (in/out)

Note Only Samsung Galaxy devices are supported except the devices with Android 10 (Q).

Reset Number of Calls

Resets the number of call(s) and number of missed call(s) among Android device’s inventory information,

• Number of call(s)

• Number of missed call(s)

Delete a CA CertificateDeletes certificates installed by Knox Manage. You can select a certificate to delete.

Delete a User CertificateDeletes certificates installed by the administrator. You can select a certificate to delete.

Delete a User Install Certificate

Deletes all the certificates installed by the administrator.

Application


Install or Update App

Installs or updates applications on a device.

In the “Request Command” window, select an application to be installed or updated.

Note The Application installation blacklist/whitelist policies take a higher priority than device commands.

Device 133


Uninstall App

Deletes applications from a device.

In the “Request Command” window, select an application to be uninstalled.

Note The Application uninstallation prevention list setting policy takes a higher priority than device commands.

Apply Latest internal App Information

Sends the latest internal application information and updates the device according to the information.

Knox Manage


Push Notification

Sends a push message to the device.

In the “Push Notification” window, enter the title and content of the message to send. You can also select between Notification and Pop up for the send type.

Note • If the device is locked, you must unlock it to view pop ups.

• Pop ups may not appear on Work Profile (PO) devices with Android 10 (Q) or a higher version.

Unenroll Device Unenrolls a selected device on the device list.

Update License Updates the license of a selected device on the device list.

Update Knox Manage

Updates the Knox Manage Agent on the device for a new patch or version.

The agent information registered in the Knox Manage server is sent to a device. The device automatically selects the appropriate agent to request installation files from the server.

Update User Information

Updates the device user information such as the user activation status/username/user settings (Secure Browser website URL information, bookmark information) and license information.

If the user is logged out from the enrolled device, you can send this device command to enable the user to log in to Knox Manage automatically.

Lock Screen of Knox Manage Agent

Locks the Knox Manage Agent.

When the application is locked, the users have to enter the screen lock password which was configured during installation. If a user forgets the password of Knox Manage Agent screen lock, you can send the Delete Account command and make the user logged out from the Knox Manage Agent. Then, the user can set the password again upon login.

Unlock Knox Manage Agent Unlocks the Knox Manage Agent.

Delete Account Deletes the account registered in the Knox Manage Agent.

Device 134


Exit KioskExits the Kiosk mode without unenrollment. You can find the status of the Kiosk mode in the Security tab on the Device Detail page.

Collect Audit LogCollects the Knox Manage audit logs of the device. When the log size exceeds the maximum size, logs are automatically sent to the server, but the log file may be lost. For more detailed information, see Viewing audits.

Collect Device Log Collects the logs of devices.

Collect Diagnosis Information

Collects a device log to diagnose the cause of device lock.

Note Personally identifiable or sensitive information will be data masked.

Device Info.


Collect current location

Shows the current location of the device.

To view the location of a device after sending a device command, navigate to Device, click the checkbox for the device, and then click Check Location.

Sync Device Information

Updates the inventory and application information on the device.

To view the updated information after sending the device command, navigate to Device, click a device name or tag, and view the information on the “Device Detail” page.

Sync Installed App List

Updates the information of installed applications.

To view the list of installed applications after sending a device command, navigate to Device, click a device name or tag, and click the “Application” tab.

Authenticate SIM Card Authenticates the SIM card on a device.

Authenticate SD Card Authenticates the external SD card on a device.

AttestationChecks if a device’s OS has been compromised. The result can be found from the device details.

List of device commands: Android Legacy/Knox Workspace

The available device commands vary depending on device manage type. For Android Legacy with Knox Workspace devices, you can select either the General or KNOX area to send the device command to.

Device 135

Device



Enable EAS (Samsung Email App Only)

Allows using Exchange ActiveSync for Samsung Email application.

Disable EAS (Samsung Email App Only)

Disallows using Exchange ActiveSync for Samsung Email application.

Lock Device

Locks a device. You can enter a reason for locking the device and a phone number to contact when the device is lost. The entered information appears on the locked device screen.

Note • For non-Samsung Android devices, Android 8.0 (Oreo) and lower are only supported.

• Android 10 (Q) devices are not supported.

Unlock Device

Unlocks a device.

Note • For non-Samsung Android devices, Android 8.0 (Oreo) and lower are only supported.

• Android 10 (Q) devices are not supported.

Lock ScreenLocks the device screen. If the device's screen is password-locked, then the user needs to enter the password to access the screen again.

Factory Reset Performs factory reset and changes the device status to Unenrolled.

Power Off Device

Turns off the device.

Note Android 10 (Q) devices are not supported.

Reboot Device Reboots the device.


Resets the device’s screen lock password and creates a temporary password. After sending the device command, the temporary password that can be found on the device’s detailed information page will be delivered to the user. For more information, see the Knox password in Viewing the device details.

Note Android 9.0 (Pie) devices are not supported.

Reset SD Card

Initializes the external SD card of the device.

Note For devices whose External SD Card policy is set to Disallowed in the profile, you cannot reset the SD card using the device command, because the policy takes a higher priority than the device command.

Device 136


Reset Data Usage

Resets data usage among the Android device’s inventory information.

• Wi-Fi transfer data (in/out)

• Network transfer data (in/out)

Note Android 10 (Q) devices are not supported.

Reset Number of Calls

Resets the number of call(s) and number of missed call(s) among Android device’s inventory information.

• Number of call(s)

• Number of missed call(s)

Application


Install or Update App

Installs or updates applications on a device.

In the “Request Command” window, select an application to be installed or updated.


Run App

Runs applications on a device.

In the “Request Command” window, select an application to be run.

Note The Application running blacklist/whitelist policies take a higher priority than device commands.

Stop AppStops applications on a device.

In the “Request Command” window, select an application to be stopped.

Delete App dataDeletes data from applications.

In the “Request Command” window, select an application to be deleted.

Uninstall App






Device 137

Knox Manage


Push Notification

Sends a push message to the device.

In the “Push Notification” window, enter the title and content of the message to send. You can also select between Notification and Pop up for the send type.

Note • If the device is locked, you must unlock it to view pop ups.

• Pop ups may not appear on Android Legacy devices with Android 10 (Q) or a higher version.


Update License Updates the license of a selected device on the device list.

Update Knox Manage

Updates the Knox Manage Agent on the device for a new patch or version.

The agent information registered in the Knox Manage server is sent to a device. The device automatically selects the appropriate agent to request installation files from the server.









Exit KioskExits the Kiosk mode without unenrollment. You can find the status of the Kiosk mode in the Security tab on the Device Detail page.






Device 138

Device Info.








Note For iOS devices, only the hardware status is updated.




Authenticate SIM Card Authenticates the SIM card on a device.

Authenticate SD Card Authenticates the external SD card on a device.

AttestationChecks if a device’s OS has been compromised. The result can be found from the device details.

Container

Only the Workspace area of Knox Workspace is supported.


Lock Knox WorkspaceLocks the Knox Workspace. Users cannot access the Knox Workspace unless you unlock it by sending this command.

Unlock Knox Workspace Unlocks the Knox Workspace.

Reset Knox Workspace Password

Resets the Knox Workspace password. When the user forgets the Knox Workspace password, this command is sent to reset the password.

Note Depending on the Android OS version, the process to re-configure the new password may differ. For Android 8.0 (Oreo) or higher, the user will receive a temporary password after Knox Manage authentication. And then, the user can re-configure the new Knox Workspace password. For operating systems lower than Android 8.0 (Oreo), the user can re-configure the Knox Workspace password directly after Knox Manage authentication.

Device 139


Uninstall Knox WorkspaceDeletes the selected Knox Workspace. Inventory information is updated on the server upon deletion.

List of device commands: ioS

The available device commands vary depending on device manage type.

Device



Lock Device Blocks some functions of the device without locking the device.

Unlock Device Unlocks a device.




Initialize Blocked Information (Supervised)

Initializes the block settings of the device.

Note Only iOS Supervised devices are supported.

Device 140

Application


Install

Installs applications on a device.

In the “Request Command” window, select an application to be installed.


Uninstall App






Knox Manage


Push Notification

Sends an emergency message to the device. The message icon is shown on the status bar of the device.

In the “Push Notification” window, enter the title and content of the message.












Device 141





Sync App Auto-removal Property (When service is deactivated)

Syncs the application auto-deletion property when managed applications are deactivated if the value of Delete app during Unenrollment process has changed in the server configuration.

Device Info.








Note For iOS devices, only the hardware status is updated.



For iOS devices, you can also request to delete application feedback when sending the device command.


Check Connection Status

Checks the service connection status of the device.

To check the status of the device after sending the device command, navigate to Device, click a device name or tag, click the “Security” tab, and view the connection status below the device name.

• Enrolled: The device is connected to the Knox Manage server.

• Disconnected: The device is disconnected from the Knox Manage server.

• Unenrolled: Keepalive is not configured.

Collect Profile IDCollects the ID of the profile applied to the device.

If the device has been enrolled, then the ID is automatically collected from the device’s inventory information without sending the device command.

Device 142

List of device commands: Windows

The available device commands vary depending on device manage type.

Device


Lock Device Locks the device.




Knox Manage


Push NotificationSends an emergency message to the device.

The message icon is shown on the status bar of the device. In the “Push Notification” window, enter the title and content of the message.









Delete account Deletes the account registered in the Knox Manage Agent.

Device 143

Device Info.











Managing limited enrollmentYou can set only the devices that are registered with their IMEI (International Mobile Equipment Identity) numbers to be enrolled in Knox Manage.

IMEI numbers can be registered individually or collectively using an XLS file. You can also register Wi-Fi only devices with their serial numbers instead of IMEI numbers.

To register IMEI numbers individually, complete the following steps:

1. Navigate to Setting > Android > Limited Enrollment.

2. On the “Limited Enrollment” page, click Activate at the bottom of the page.

• You can also activate the Limited Enrollment feature by navigating to Setting > Configuration > Basic Configuration > Device, and then setting Limited Enrollment to Activate.

3. Click Add.

4. In the “Add Device” window, select IMEI/MEID or Serial Number.

Device 144

5. Enter an IMEI/MEID or serial number into the field.

• Enter the serial number of a Wi-Fi only device.

6. Click Save.

To register IMEI numbers collectively, complete the following steps:

1. Navigate to Setting > Android > Limited Enrollment.

2. On the “Limited Enrollment” page, click Activate at the bottom of the page.

• You can also activate the Limited Enrollment feature by navigating to Setting > Configuration > Basic Configuration > Device, and then setting Limited Enrollment to Activate.

3. Click Bulk Add.

4. In the “Bulk Add Devices” window, click Download Template.

5. Enter the IMEI numbers in the downloaded XLS file, and then save it.

• Enter the serial number of a Wi-Fi only device.

6. In the “Bulk Add Devices” window, click , and select the saved XLS file.

7. Click Save.

Checking the locations of the devicesYou can check the locations of the selected devices. Only the devices that have the location policy applied can be tracked.

To check the device locations, complete the following steps:


2. On the “Device” page, click the checkbox for a device to check its location, and then click Check Location.

3. In the “Check Location” window, search by date and view the location history.

• Click Export to GPX to download a GPX file that includes detailed device location information. You can use a GPX viewer to open the file.

Device 145

Viewing device logsView a device log to verify that the device commands sent from the Admin Portal were successfully received by the device.

To view a device log, complete the following steps:


2. On the “Device” page, click the device to view its log.

3. On the “Device Detail” page, click Command History.

4. View the device command history.

• To download the device logs, click Device Log. In the “Device Log” window, set the log collection period and download the desired logs by clicking .

• To view in detail the audit events that occurred while completing a device command, click See Audit Event in the row of the device command.

Date post:	06-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Device - Samsung Knoxcontents-ap.manage.samsungknox.com/onlinehelp/en/... · Note Wi-Fi Transfer...

Documents