Home / Knox Admin Portal / How-to guides /

Manage enrollment profiles

Last updated August 5th, 2025

The Enrollment menu in the Knox Admin Portal navigation pane opens the Enrollment profiles page, where you can create and manage enrollment profiles across your Knox cloud services (Knox E-FOTA, Knox Asset Intelligence, and Knox Service Plugin) as well as for your EMM, MDM, or UEM solutions. You can create separate enrollment profiles for each or create a single enrollment profile that applies to all.

Access permissions

You need the following permissions to view and manage enrollment profiles.

Task Permission
View enrollment profiles Common > Profiles > View-only or Manage enrollment profiles
Edit enrollment profiles Common > Profiles > Manage enrollment profiles > Create and edit
Delete enrollment profiles Common > Profiles > Manage enrollment profiles > Delete

Create an enrollment profile

To create an enrollment profile:

  1. Click Enrollment on the Knox Admin Portal navigation pane. The Enrollment profiles page displays.

    You can also access the common enrollments profiles list from the Knox Mobile Enrollment console. Clicking Profile in the console opens the Enrollment profile page on the Knox Admin Portal.

  2. Click Create profile. The Create enrollment profile page displays.

  3. Enter the following under the Basic info section:

    • Profile name

    • Profile description

    • Select an EMM and the Knox cloud services for which to enable OOBE enrollment using this enrollment profile:

      • EMM: Select to use the enrollment profile to enroll devices to your MDM, EMM, or UEM.

      • Knox Service Plugin: Automatically selected when you select EMM. Enables you to specify policies for Samsung devices in your EMM. You can disable this option, if required.

      • Knox E-FOTA: Select to use the enrollment profile to enroll devices to Knox E-FOTA. As part of OOBE, the Knox E-FOTA app is installed on the devices.

        To be able to manage firmware on devices using Knox E-FOTA, you’ll need to create and assign campaigns to the enrolled devices.

      • Knox Asset Intelligence: Select to use the enrollment profile to enroll devices to Knox Asset Intelligence. As part of OOBE, the Knox Asset Intelligence app is installed on the devices.

        To use Knox Asset Intelligence, please ensure that your devices are enrolled to an EMM.

    If you select a Knox cloud service that’s hidden (Settings > Show/hide services), you won’t be able to use the service in the Knox Admin Portal.

  4. Creating an enrollment profile for an EMM requires additional information. Enter required details in the following sections that display if you select EMM under Basic info:

    • EMM Info: Provide contact details and EMM information
    • Configure: Configure standard settings and advanced settings. To use advanced settings, you require a Knox Suite - Enterprise Plan license.

  5. Review your enrollment profile.

  6. Click Create profile to complete the set up. Alternatively, click Create and assign to also assign it to devices.

    The Create and assign option is available only if you have the common Create and edit permission. See the Access permissions section for more information.

  7. (Optional) In the Assign section, select the devices and click Assign to devices.

The new profile is created and shown on the Enrollment profiles page.

When creating an enrollment profile, note that:

  • Advanced settings are not applied if no valid Knox Suite - Enterprise Plan is available during enrollment.
  • In case of any errors, you can download details in a CSV file from the notification that’s displayed. Click to view all notifications.

EMM Info section

The EMM Info and Configure sections are for providing EMM details, and are displayed only if you selected EMM in the Basic info section. If you selected only Knox E-FOTA or Knox Asset Intelligence, these sections are not shown.

Contact information

Provide the contact information to be displayed during device enrollment:

  • Company name
  • Support email
  • Support phone number

The support contact information is auto-populated, if you previously provided default support information under Settings.

EMM information

  • Select your EMM: For a list of all EMMs that are currently supported, see Knox partner solutions.

  • Link to agent APK: For most Knox Validated EMMs the download link of the EMM app is auto populated. Enter the download link manually, if it’s not auto populated.

  • The EMM is privately hosted on an intranet server: Select the check box and provide following APK details:

    • Admin component name: Displayed as package name/class name.
    • Admin package signature checksum: The URL-safe, base64 encoded SHA-256 hash of the EMM APK signature. You can get this value from your EMM, or use the Keytool utility on Linux.
    • EMM app name
    • App icon: The icon displayed next to the EMM app. Click UPLOAD ICON and upload a PNG file of up to 1 MB. The icon size must be at least 48x48 px.

  • (Optional) Specify an EMM server URI: Select the check box, if required by your EMM provider, and enter the server address in the Server URI field. Verify that you are allowed to connect to the server URI, as it may be firewall-protected or unavailable on public networks.

Configure section

The EMM Info and Configure sections are for providing EMM details, and are displayed only if you selected EMM in the Basic info section. If you selected only Knox E-FOTA or Knox Asset Intelligence, these sections are not shown.

Standard settings

Standard settings provide optional features that you can add to your enrollment profile to customize what devices can do during and after enrollment.

DPC extras

If required by your EMM provider for enrollment, specify any custom JSON configurations for the Device Policy Controller (DPC) app. Consult your EMM provider to obtain the required configurations as the format may differ.

Consider the following sample JSON configurations:

  • Sample JSON configuration if you’re using Knox Manage as your EMM provider:

    {  
    "tenantId": "knoxteam.samsung.com",  
    "tenantType": "M"  
}

  • Sample JSON configuration for configuring additional parameters to automatically enroll the device in a particular mode:

    {
    "tenantId": "knoxteam.samsung.com",
    "AllowModifyUserId": "Disallow",
    "Mode": "DO"
}
QR code enrollment

With QR code enrollment, device users can scan a QR code to enroll into an EMM. This feature is especially useful for devices that are not uploaded by a reseller.

  • This feature is supported on devices running Android 10 or higher.

  • Device enrollment using QR codes is supported for EMMs only.

    If you’re using a QR code for an enrollment profile that’s set up to enroll devices into an EMM, along with Knox E-FOTA or Knox Asset Intelligence, the devices are enrolled into only the EMM.

To generate a QR code:

  1. Click Add QR code to get started. The Add a QR code dialog displays.

  2. To enable device users to enroll their devices to EMMs with a QR code, select Also allow QR code enrollment for devices not uploaded by a reseller.

  3. Under Wi-Fi network configuration, select one of the following:

    • Don’t add Wi-Fi network credentials to QR code: The QR code will not include any network credentials. Device users must manually connect to Wi-Fi.

    • Add Wi-Fi network credentials to QR code: Adds security data and proxy traffic gateway information to the QR code. You can also include the following:

      • Use device MAC address: Includes the factory-encoded hardware MAC address within the QR code’s Wi-Fi MAC address.

        Wi-Fi settings in the QR code take precedence over those associated with the device in the profile, since you first need to connect to Wi-Fi through the QR code before downloading the profile information associated with the device.

      • Wi-Fi network is hidden: Enables the QR code to connect the device to a Wi-Fi access point with a hidden SSID. You can still view and print the SSID in read-only mode.

      • SSID name: Required. Provide a name for the Wi-Fi network.

      • Security: Select a protocol to protect the Wi-Fi network.

        • None: No Wi-Fi network security data is included in the generated QR code. Not recommended for private networks WEP, or WPA/WPA2.

        • WEP or WPA/WPA2: You can specify a Password (optional).

          WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.

  4. Click Add to generate the QR code. To save the QR code for future use, select Download or Print.

System apps

System apps are pre-installed as part of the device’s operating system. You can specify whether or not device users can access these apps after enrollment.

  • Disable system apps: Hides pre-installed apps.

    Only certain default system apps — My Files, Contacts, and Play Store — are available in the app list. Device users can’t install or remove these apps.

  • Enable system apps: Allows device users to access pre-installed apps.

When using Knox Mobile Enrollment with Knox Configure, enabling system apps may lead to conflicts with the Knox Configure profile.

Enrollment screens

Enrollment screens guide devices users through a series of steps required to set up a device. You can choose to display the following additional enrollment screens:

Setting Description Supported system
Show the Android Enterprise setup disclaimer screen before EMM enrollment Displays a warning screen that the phone is being enrolled in Android Enterprise. Android 12 and higher.
Show additional setup screens after EMM enrollment Displays Google Services setup screens. It is enabled by default. If disabled, Google Services setup screens are hidden for device users. Fully managed devices — Android 13 and 14

Managed devices with a work profile — Android 14

Always shown on Android 15 and higher.
Privacy Policy, EULAs and Terms of Service

You can add up to three of your organization’s legal agreements to display to end users during device enrollment. Click Add legal agreement, provide information in the Agreement Title and Agreement Text fields, and click Add.

Root and intermediate certificate

You can select a root or intermediate certificate to install on devices during device enrollment. Click Select to browse to and upload a certificate file in one of the following formats: CER, PEM, CRT, DER, or a CA-bundle.

This feature is available on devices running Android 9 or higher.

DualDAR

The Samsung Knox DualDAR solution provides two separate layers of encryption and key generation.

To double-encrypt your device’s data:

  1. Select Enable DualDAR, then click Enable to confirm you have a Knox Platform for Enterprise DualDAR license. If you don’t have a license, but would like to use DualDAR, contact your reseller.
  2. To allow an independent third-party to install a separate cryptographic module, select Use 3rd party crypto application, then click ADD PACKAGE AND SIGNATURE, provide the Package Name, Package URL, and Signature of the 3rd party crypto app, and click Save.

Advanced settings

Advanced settings give you additional control over your devices — you can lock devices if security is compromised and install apps prior to an EMM enrollment. To use advanced settings, you’ll need:

  • A Knox Suite - Enterprise Plan. If you don’t have the Knox Suite - Enterprise Plan, you can still set up standard settings to enroll your devices into the EMM, but advanced settings can’t be used.

  • Samsung devices that aren’t currently enrolled in Knox Guard. To avoid locking conflicts, a device enrolled in Knox Guard can’t be assigned a profile with advanced settings enabled. To resolve this conflict, you must unenroll the device from Knox Guard.

Lock compromised devices

To prevent information security leaks in the event of device loss or theft, you can define settings to remotely lock your devices:

  • Lock device: Locks the device if it isn’t enrolled in an EMM by a specified date. You can select a timeframe between 1 – 30 days (default is 7 days)
  • Immediately lock device if it’s rooted or running unofficial firmware
  • Immediately lock device if user does not enroll with an EMM through Knox Mobile Enrollment: Locks a device if the end user attempts to cancel the factory reset required to enroll
Lock screen message
  • Lock message: Enter the custom message that’ll display on the device when locked, or use the default message provided.
  • Phone number: Enter the phone number that the device users can contact when the device is locked.
Install apps

To further reduce the EMM enrollment time and facilitate staging, you can install up to three local apps on a device prior to EMM enrollment.

This feature is not supported with QR code-based enrollment.

Click Add app, enter a Package name, URL for app download (APK file), and Signature checksum, and click Add. Ensure that your APK file doesn’t exceed 500 MB.

Any issues with the app’s APK file or network may cause the app installation to fail upon enrollment. To avoid this, ensure your APK URL is correct and you have a safe network connection.

To edit an app, click its Package name.

Edit an enrollment profile

  1. On the Enrollment profiles page, select a profile name. The Edit enrollment profile page displays.
  2. Navigate to the section you want to update, click Edit, and adjust the settings as desired.
  3. When you’ve finished reviewing your changes, click Save. Alternatively, to apply the updates to your devices, click Save and assign and select the required devices.

As only one profile is supported per device, when you assign an updated profile, the existing settings on your devices are completely replaced.

When assigning a new or updated profile to a device, you must factory reset the device to apply the changes.

Duplicate an existing enrollment profile

  1. Select a profile name.
  2. Click Actions > Duplicate to edit. The Clone profile dialog displays.
  3. Click Duplicate to proceed. The Create enrollment profile page displays.
  4. Update the profile settings as required. For information about the settings, see Create an enrollment profile.

The new profile is added to the common enrollment profiles list.

Delete an enrollment profile

  1. Select a profile name.
  2. Click Actions > Delete profile. The Delete profile dialog displays.
  3. Click Delete to proceed.

The profile is removed from the common enrollment profiles list.

On this page

Is this page helpful?