What is Knox Enrollment Service | KME Setup & Bypass

Maverick Updated on May 29, 2025 Filed to: MDM

Is your company deploying a large number of devices and finding the enrollment process a bit challenging? Knox Enrollment Service simplifies bulk device setup, making it an essential tool for enterprises looking to save time and effort.

However, setting it up can be a little bit tricky. This article will provide an in-depth look at Knox Enrollment, outlining its key features and how it can transform your device management process.

1What is Knox Enrollment Service?

Knox Enrollment Service is a solution from Samsung that allows businesses to quickly and automatically deploy large numbers of corporate-owned Samsung devices. It enables IT administrators to enroll devices into their management system (EMM/MDM) right out of the box, applying security policies and configurations without manual setup.

2Processes of Bulk Device Enrollment with KME

Requirements

Samsung Knox Mobile Enrollment streamlines the setup of Samsung Galaxy devices across large organizations. To use the service, the devices must meet certain requirements:

  • Samsung Galaxy with Knox version 3.0 or higher, and must be purchased from a reseller participating in the Knox Deployment Program.
  • IT administrators are key in Knox Enrollment by creating and managing device profiles, including configuring settings and restrictions that can be applied to multiple devices.
  • To facilitate the process, they work closely with approved resellers, who upload device IDs to the Knox Reseller Portal for integration into Knox Mobile Enrollment. These IDs allow for the automatic enrollment of devices when they power on and connect to a network, enabling secure, hands-free setup.
  • For devices not purchased through a reseller, the Knox Deployment App can still be used to manually enroll them into the system.

How Does It Work?

Knox Mobile Enrollment (KME) simplifies the bulk enrollment of Samsung devices into enterprise mobility management (EMM) systems through an automated process.

1
  1. It starts with the IT administrator collaborating with a Samsung-approved reseller.
2
  1. The reseller uploads the device IDs of the purchased devices to the Knox Reseller Portal, ensuring that only verified devices are enrolled.
3
  1. Once the device list is uploaded, the IT admin receives a notification and approves the enrollment in the Knox Mobile Enrollment Portal.
4
  2. From there, the IT admin assigns a configuration profile to the devices, which includes: Specific settings, Restrictions, Apps that need to be preloaded.
5
  1. If reseller preferences are configured, future device uploads can be automatically approved and assigned profiles, further automating the process.
6
  1. Once the profile is assigned, the devices are enrolled into the EMM system. Users simply unbox their devices, and upon booting, the configurations are automatically applied without any manual input required, ensuring a seamless user experience.

How to Use Knox Enrollment Service? (Full Guide)

Knox Enrollment Service is available to enroll Samsung smartphones, phablets, tablets, rugged devices, and wearable devices.

Step 1 : Sign up for Knox Mobile Enrollment and access the admin console.

If you're completely new to Samsung Knox, you should get a Samsung account first. You can get one via this link.

Then, use your account to log into the Samsung Knox Admin Portal so that to further access Knox Mobile Enrollment. Here is the official entrance: Knox Admin Portal.

Step 2 : Create a profile with MDM/EMM details to configure out-of-box device settings.

On the left navigation bar, you can see Knox Mobile Enrollment. Drop it down and click 'Profiles' > 'CREATE PROFILE'.

Knox Create Profile

You need to select profile types between 'ANDROID ENTERPRISE' and 'ANDROID ENTERPRISE (ADVANCED)'.

Both are methods to obtain enrollment and management permissions for devices but with differences in features. The advanced type has more controls for locking, such as auto-lock, remote lock, or unlock.

Android Enterprise is a project that integrates multiple types of enterprise service providers, covering device manufacturers, device resellers, device management solutions. Additionally, it provides APIs for software developers and OEMs to make enterprise-used things. Samsung joined Android Enterprise Recommended Program in 2020. Since then, it provides Galaxy Mobile Devices and Knox Manage cloud-based EMM solution for Android Enterprise users.

Next, complete the profile details after selecting a type.

profiles select type

Then you need to fill in three EMM information:

  • Pick your EMM: Select AirDroid Business as the MDM. Select “Other” here.
    • AirDroid Business Free Trial
  • EMM Agent APK: add an APK which is the supporting component of EMM and install it on enrolled devices automatically. You can go AirDroid Dashboard and copy that code from section Devices>Device Enrollment>Samsung KME.

pick your emm and agent APK
Samsung KME enrollment

  • DPC Extra for AirDroid Business: Copy the configuration code in AirDroid Business’ dashboard and paste it to “DPC extras” of Knox Admin Portal. You can fill in the rest of the fields as per your requirements. Then click next.

    • Copy the configuration code

    fill in DPC extras

    There are two boards - EMM CONFIGURATION and DEVICE SETTINGS. For the former, contact your EMM solution to get the JSON data and certificates. As for 'QR code for enrollment', please note that it's only for Android 10+ devices. The latter, in device settings, you can choose to disable or enable system apps. The 'Android Legacy admin profile' is not a necessary option, just add it if needed.

    Step 3 : Add a reseller so that to upload your purchased devices info automatically.

    Go to the 'Resellers' menu and click 'REGISTER RESELLER.'

    resellers

    In the screen, a Reseller ID is needed. Contact your reseller to get it. Also, you should provide your customer ID to him.

    The reseller ID is 10 digits in length typically. After entering, continue setting up Manage reseller preferences based on your needs, such as auto approve all devices uploaded by this reseller, and auto assign profile to devices uploaded by this reseller.

    Note : If you want to check the purchased devices, you can go to 'Knox Mobile Enrollment'> 'Devices' > 'UPLOADS'. The reseller will bind the devices to your Knox account and details will be listed in the portal.
    resellers fill in id
    resellers complete settings

    Step 4 : Add a device user in order to create credential for your employee.

    In 'Device Users', click 'ADD DEVICE USERS' to set up User ID and the corresponding password. You can also add in bulk by importing a CSV file.

    This info will be used for device configuration in the next step.

    device users

    Source: docs.samsungknox.com

    How does this setting enhance enterprise security?
    After the credential is configurated to the device, your employee has to enter the User ID and Password provided by the IT admin for further using the device. Moreover, the IT admin is able to change passwords at any time and delete users to ensure timely updates.

    Step 5 : Configure devices individually or in bulk

    Go to 'Devices' to view device lists.

    Please follow these steps if you have not set up automatic operations in the processes mentioned above:

    • 1) Tick the checkbox in front of the IMEI/MEID number. You're able to operate multiple devices at once by ticking selected devices.
    • 2) Click the 'ACTION' button and select 'Configure devices'.
    • 3) In the popup window, choose a profile that you want to apply on the devices as well as User credentials.
    • 4) Click 'SAVE' when all are configured.
    devices
    devices configure device 1
    devices configure device 2

    Tips to configure mass devices:

    • 1) Go to 'BULK ACTIONS' and click 'ASSIGN USER CREDENTIALS AND PROFILE.'
    • 2) Then on the Bulk Configure page, upload the CSV file with device IDs, user IDs, and passwords. Next, click 'SUBMIT.'

    Step 6 : Power on the device to complete device enrollment

    After the Samsung device has been shipped to your employee, there is still one final step left. The IT admin can guide the employee to finish Knox Mobile Enrollment:

    • 1) Turn on the device and connect to WiFi.
    • 2) Tap 'Continue' on screen, and then 'Next' for agreement.
    • 3) Enter the assigned User ID and Password, and tap 'Confirm.'

    The device will automatically enroll to the MDM/EMM platform and run the configured profile, for example, auto-install apps and set up system settings.

    3Advantages, Limitations and Results of Using KME

    Advantages

    • KME simplifies the bulk enrollment process by automating device setup, removing the need for manual configuration. IT administrators no longer need to handle each device individually, as KME allows them to push specific configurations, policies, and settings to all devices at once.
    • It reduces wasted time, especially for large organizations managing hundreds or thousands of devices. Security is another major plus, as the system ensures devices are enrolled, configured, and brought under control as soon as they power on and connect to the network.
    • Most importantly, it reduces the risk of misconfigured devices being used in an unsecured state, offering enhanced protection for sensitive company data.

    Limitations

    • First, it only supports Samsung Galaxy devices running Knox version 3.0 or higher/Android 8.0 or higher, limiting compatibility for organizations using a diverse range of devices.
    • While the system simplifies device deployment in the long run, the initial setup can be complex, requiring careful planning and coordination between IT administrators and resellers.

    Note:

    • AirDroid Business supports multiple Android device enrollment methods, including Knox-managed enrollment(KME), Android Enterprise enrollment (AE), and Device Owner enrollment (DO). All these methods allow users to manage Samsung devices via Knox Manage (KSP).
    • Knox-managed Enrollment(KME): Tailored for Samsung devices, offering efficient bulk enrollment and enhanced security.
    • Android Enterprise Enrollment and Device Owner Enrollment meet user needs for managing diverse Android devices, offering broad compatibility and comprehensive management features. For example, AE enables organizations to leverage Managed Google Play, and DO supports devices running Android 7.0 or above.

    4Comparing Different Enrollment Methods

    Let's dive into the nitty-gritty of Android enrollment methods and see how they stack up for enterprise deployment:

    Other enrollment methods

    • Zero-Touch Enrollment: An effective method to enroll devices in bulk without manual device manipulation.
    • Device Owner(DO) Enrollment: An enrollment method which allows MDM to gain full control over your devices by obtaining Device Owner permission.
    • Quick-Deploy Installation Package: Devices can install the MDM client package with a single click, eliminating the need for individual device operation.

    Comparison Table

    Setup ProcessEcosystemSupported DevicesSecurity Level
    Knox Mobile EnrollmentFull-automaticSamsungSamsung devices that are running Knox version 3.0 or higher
    and purchased from a reseller participating in the Knox Deployment Program.    		⭐⭐⭐Basic security functions
    Zero-touch EnrollmentFull-automaticGoogleA device running Android Pie (9.0) or later*, a compatible device running Android Oreo (8.0), or a Pixel phone with Android Nougat (7.0), purchased from a reseller partner⭐⭐⭐Basic security functions
    DO EnrollmentSemi-automaticAndroidAndroid 7.0 or above⭐⭐⭐⭐⭐Broader device control and security policies
    Quick-deploy Installation PackageSemi-automaticAndroidAndroid 4.0 or above⭐⭐⭐Basic security functions


    Note:

    • Full-automatic methods like KME and ZTE are the holy grail of efficiency. Imagine dropping a device on an end user's desk, and it's already provisioned and ready to go. No manual config, no headaches.
    • Semi-automatic methods, like DO Enrollment and Quick-deploy Packages, require users to complete some configurations during the initial setup. However, subsequent configurations can be efficiently managed in bulk by IT personnel through the MDM dashboard.
    • In terms of device support, the ranking is: Quick-deploy Installation Package>DO>Zero-touch>KME.

    Best For

    1. KME, while limited to Samsung devices with Knox, excels in environments standardized on this platform. For Samsung-centric environments requiring rapid, large-scale deployment, KME is the optimal choice.

    2. Zero-touch enrollment is well-suited for modern Android environments, offering a good balance of compatibility and ease of use for current-generation devices. Organizations managing a diverse fleet of newer Android devices should consider Zero-touch enrollment.

    3. DO Enrollment provides comprehensive device support coupled with advanced security features, appealing to organizations with stringent compliance requirements. High-security environments demanding granular control and robust compliance measures should prioritize DO Enrollment.

    4. Quick-deploy Installation Package offers the broadest support, particularly for legacy Android devices, making it an invaluable tool for organizations with diverse device ecosystems. Enterprises supporting a wide range of Android versions will benefit from the versatility of Quick-deploy Installation Packages.

    Each method has its sweet spot. It's all about aligning with your infrastructure, security requirements, and operational workflow.

    5How To Disable/Remove Knox Enrollment Service?

    Removing KME can be a bit tricky since it's designed to keep devices managed under organizational control. There are two main methods to go about this: the official way through Samsung and a riskier route involving third-party tools.

    Method 1: Official Removal Process

    1. Remove Device from EMM/MDM Admin Console: The first step is contacting your IT administrator to remove the device from the organization's EMM (Enterprise Mobility Management) or MDM (Mobile Device Management) system. This will deregister the device and lift the Knox management policies.

    2. Access the Samsung Knox Portal: Next, the administrator will log in to the Samsung Knox Portal and complete the removal process from the Knox system. This will free up the device from any restrictions tied to the organization.

    3. Factory Reset the Device: Once unenrolled, perform a factory reset to remove any remaining traces of Knox policies. After the reset, the device should be clean, without organizational restrictions.

    Note : If you can’t get in touch with your IT administrator, you might be tempted to look for alternative ways to remove Knox. However, it’s important to note that there is no official method to remove KME without admin access.

    Method 2: Removal on Samsung Device

    1. Step 1:Open Settings on your Samsung device.
    2. Step 2:Go to Apps or Application Manager.
    3. Step 3:Find and select Knox Enrollment Service.
    4. Step 4:Tap Disable or Uninstall.
    5. Step 5:If greyed out: Go back to Settings > Security (or Biometrics and security) > Other security settings > Device admin apps (or Device administrators).
    6. Step 6:>Deactivate Knox Enrollment Service or any related admin profile.
    7. Step 7:Return to the App info and try disabling again.

    Method 3: Using Third-Party Tools

    Some third-party tools claim they can bypass Knox lock(often use technology that forcibly trigger a factory reset), which may seem like a workaround. However, in most cases, Knox-enrolled devices will still be under organizational control after the reset, due to built-in security features.

    Given the risks, we strongly advise against using these tools. Sticking with the official method is always the safest and most reliable route:

    1. If the bypass fails, your device could become permanently locked or even bricked.

    2. The results are often unpredictable and may void your device's warranty or render it unusable.

    You May Be Interested

    What is Knox enrollment service app?
    Maverick
    Maverick
    It refers to the Knox Deployment app. It's a tool to install on the IT admin phone and is used for device enrollment. You can find it on Google Play store.
    Can I use Knox mobile enrollment to automatically install applications on my devices?
    Maverick
    Maverick
    Yes. But you need to pre-configure the apps in your EMM/MDM provider. For example, you need to create a configuration file before proceed with the enrollment. This file is able to preset apps and device policies. When you finish setting, it will generate an iframe for the enrollment process.
    What are the Knox partner EMM/MDM solutions?
    Maverick
    Maverick

    Knox Mobile Enrollment integrates with several MDM/EMM solutions to streamline device management. Compatible partners include:VMware AirWatch, BlackBerry UEM, Citrix Endpoint Management, Samsung Knox Manage, IBM MaaS360, MobileIron MDM, SOTI MobiControl, Microsoft Intune, 7P EMM.

    What are Knox Deployment App and Knox Mobile Enrollment Direct?
    Maverick
    Maverick

    Knox Deployment app is a mobile app to enroll non-eligible-for-KME Samsung phones and tablets in Knox Manage or Knox Configure. It has three enrollment methods - NFC deployment, Bluetooth deployment, and Wi-Fi Direct deployment. To use the app, you need to have it installed on an IT admin's device and use a Samsung Knox Admin Portal account.

    Knox Mobile Enrollment Direct is an on-premise software to install on a laptop or PC running Windows 10. KME and KME Direct are the same in function. It's just that KME Direct requires more steps on the setup.

    How Much Does Knox Mobile Enrollment/Knox Enrollment Service Cost?
    Maverick
    Maverick

    Free. You don't have to pay to use the Samsung enrollment services. Moreover, no license is required.

    As you can see some other Knox Suite tools, like Knox Manage and Knox Platform for Enterprise, will require a license, which you need to purchase so to get the right of use for the service. But Knox Mobile Enrollment is allowed to use all features without a license.
    Click a star to vote
    7528 views
    Was This Page Helpful?
    Maverick
    Maverick
    For more than 8 years, Maverick has dig deep into IT and mobile device management. He delivers practical MDM solution tips and strategies for various endpoints management.
    Discussion
    The discussion and share your voice here.

    Leave a Reply.

    Your email address will not be published. Required fields are marked*

    *

    Product-related questions?Contact Our Support Team to Get a Quick Solution>
    Dislike
    airdroid-business-logo
    Try MDM Solution
    Manage devices from a unified console
    Free Trial

    Join Our Newsletter