Unenroll devices

Last updated May 13th, 2025

You can unenroll the devices registered in the Knox Manage server. The methods for unenrollment differ depending on the device type, and are described in the following sections.

To delete the work profile from Android Enterprise devices or delete Knox Manage from fully-managed devices, push the Unenroll device command to them.
To subsequently restart the device user’s session, send the Delete account command, then ask the user to sign in again.

When you unenroll Fully Managed or Fully Managed with Work Profile devices, the devices are factory reset. If the devices are running Android 7 to 8.1, any inserted microSD cards are also wiped.

If a factory reset is prevented by other device administration applications, such as Knox E-FOTA and Knox Configure, then the process of removing the device from Knox Manage will fail due to the requirement of a factory reset. As a result, even after successfully unenrolling the device from Knox Manage, the device will continue to show the Knox Manage authentication screen.

Unenroll connected devices

To unenroll devices that are connected to the server:

Go to Device on the Knox Manage console.
On the Device page, select the device you want to unenroll.
Click Unenroll.
(Optional) Select one or more of the following actions to be performed during unenrollment:
- Unassign KME profiles — Unassigns any Knox Mobile Enrollment profiles on the device.
- Delete devices from KME — Deletes the device from Knox Mobile Enrollment, if applicable. For information about unenrolling devices from Knox Mobile Enrollment, see Use Samsung Knox Mobile Enrollment (KME).
- Unenroll devices from KAI — Unenrolls the device from Knox Asset Intelligence. For information about Knox Asset Intelligence license management, see Manage licenses.
- Remove eSIM upon factory reset (Preview) — Removes eSIM information from the device (even if the eSIM wasn’t installed using Knox Manage). You will need to activate the eSIM through the carrier if you want to reuse it.
  
  eSIM removal only works for devices that have neither been factory reset nor unenrolled from Knox Manage since the eSIM was installed. The option will be read-only if the device doesn’t support eSIM.
On the Unenroll dialog, click OK to confirm. The device is unenrolled.
- Clicking Force Unenroll unenrolls the device and also changes the device status to Unenrolled, thereby ensuring the license seat occupied by the device is freed up. This can be helpful if, for instance, you had previously accidentally reset the device without actually unenrolling it.
- For iOS devices that were reset or unenrolled from the Knox Manage console, device users can disable the activation lock in Setup Assistant by entering the code in the Password field and leaving the ID field empty.

Unenroll disconnected devices

To unenroll devices that are offline:

Identify which device needs to be unenrolled.
Go to Device on the Knox Manage console.
On the Device page, select the disconnected device that you want to unenroll.
Click Unenroll. The Unenroll dialog opens, showing relevant options and the Offline Unenrollment Code for the device. Copy the unenrollment code to send to the device user later.
Click Force Unenroll.

Clicking Force Unenroll unenrolls the device and also changes the device status to Unenrolled, thereby ensuring the license seat occupied by the device is freed up. This can be helpful if, for instance, you had previously accidentally reset the device without actually unenrolling it.
Instruct the user to enter the Offline Unenrollment Code from step 4 in the Knox Manage agent’s Offline Unenrollment screen. The device unenrolls.

You can configure Knox Manage to automatically delete any installed apps from the device as it unenrolls, including installed internal apps (on all Android devices and iPhones running iOS 11 or later). To configure this, go to Setting > Configuration > Basic Configuration > Device, and set Delete App upon Unenrollment to Yes.
If device unenrollment is unsuccessful on a disconnected Windows device, ensure you are disconnected from all enterprise account connections on the device by going to Start > Settings > Accounts > Access work or school, and try unenrolling again.

Unenroll groups of devices

When you need to unenroll devices in bulk, you can send the unenrollment command to entire device groups at once. Keep in mind that device groups and user groups are fundamentally different types, so you can’t unenroll user groups in bulk, even if there are devices associated with them.

Accidental use or misuse of this action can have severe consequences on a large number of devices at once. As a precaution, you can only unenroll one group at a time, and the Knox Manage console asks you twice to confirm your submission.

To unenroll all the devices in a group:

Go to Group.
Select a device group.
Make sure that you selected the right device group, then click Unenroll Device. A confirmation dialog opens.
(Optional) Select Unassign KME profiles and Delete devices from KME to delete the device from Knox Mobile Enrollment (KME) as well.
Read the on-screen warning, then select I have read the warnings and agree to proceed with the process.
Click OK to gracefully unenroll the devices or Force Unenroll to push the action through. If you choose the latter option, the console asks you to confirm again.

Allow users to unenroll their devices

If a device is connected to a network and can establish communication with the server, then users can unenroll the devices by uninstalling the agent.

To allow the user to uninstall the agent, complete the following steps:

Go to Setting > Configuration > Knox Manage Agent Policy.
On the Knox Manage Agent Policy page, click the Default tab. You can also add more agent policy sets by clicking .
Set the Allow Unenroll Request policy to Allow.
Click Save & Apply.