Home / Knox Mobile Enrollment / How-to guides / Manage profiles /

Create an enrollment profile

Last updated August 5th, 2025

You can use Knox Mobile Enrollment profiles to define the services your device enrolls into, how the device gets enrolled, and what the devices can do during and after enrollment.

With Knox Mobile Enrollment profiles, you can easily enroll devices into your Knox solutions.

To create a profile:

  1. On the Knox Mobile Enrollment navigation pane, click Profiles. You’ll be redirected to the common Enrollment profiles page in the Knox Admin Portal.

  2. Click Create profile.

  3. Enter your Basic info.

  4. Creating an enrollment profile for an EMM requires additional information. Enter required details in the following sections that display if you select EMM under Basic info:

    • EMM info — Provide contact details and EMM information.
    • Configure device settings — Configure standard settings and advanced settings. To use advanced settings, you’ll need a Knox Suite - Enterprise Plan license.

    The EMM info and Configure sections display only if you selected EMM in the Basic info section.

  5. Review your enrollment profile.

  6. Click Create profile to complete the set up. Alternatively, click Create and assign to also assign it to devices. You can also assign the profile at a later date. For more information, see Assign profiles.

Basic info

On the Basic info page, enter the following basic profile information:

  • Profile name (required)

    When creating a profile within the console, the following characters aren’t allowed: \ # / $ * % ^ & \ ( ) + ? { } [ ]

  • Profile description

  • Select solutions and services to install (required) — Check the services you wish to install your devices. This will enable out-of-box experience (OOBE) enrollment on the device.

    If you select a service that’s hidden (Settings > Show/hide services), you won’t be able to use the service in Knox Admin Portal.

    • EMM — Select to use the enrollment profile to enroll devices to your MDM, EMM, or UEM.
      • (Optional) Knox Service Plugin — Installs the Knox Service Plugin app on the device. This setting is automatically selected as it may be required to set Samsung device policies in your EMM. You can disable this option, if required.
    • Knox E-FOTA — Select to use the enrollment profile to enroll devices to Knox E-FOTA. As part of OOBE, installs the Knox E-FOTA app on the device.

      To be able to manage firmware on devices using Knox E-FOTA, you’ll need to create and assign campaigns to the enrolled devices.

    • Knox Asset Intelligence — Select to use the enrollment profile to enroll devices to Knox Asset Intelliegence. As part of OOBE, installs the Knox Asset Intelligence app on the device.

      To use Knox Asset Intelligence, please ensure that your devices are enrolled into an EMM.

EMM info

The EMM info and Configure sections are for providing EMM details, and are displayed only if you selected EMM in the Basic info section. If you selected only Knox E-FOTA or Knox Asset Intelligence, these sections are not shown.

Enter your Contact information and EMM information.

Contact information

Provide the contact information to be displayed during device enrollment:

  • Company name
  • Support email
  • Support phone number

The support contact information is auto-populated in this section, if you previously provided default support information.

EMM information

Enter your EMM information:

  • Select your EMM: For a list of all EMMs that Knox Mobile Enrollment currently supports, see Knox partner solutions.
  • Link to agent APK: For most Knox Validated EMMs, the download link of the EMM app is auto populated. Enter the download link manually, if it’s not auto populated.
    • The EMM is privately hosted on an intranet server: Select the check box and provide following APK details:
    • Admin component name: Displayed as package name/class name.
    • Admin package signature checksum: The URL-safe, base64 encoded SHA-256 hash of the EMM APK signature. You can get this value from your EMM, or use the Keytool utility on Linux.
    • EMM app name
    • App icon: The icon displayed next to the EMM app. Click UPLOAD ICON and upload a PNG file of up to 1 MB. The icon size must be at least 48x48 px.
  • (Optional) Specify an EMM server URI: Select the check box, if required by your EMM provider, and enter the server address in the Server URI field. Verify that you are allowed to connect to the server URI, as it may be firewall-protected or unavailable on public networks.

Configure device settings

If you’ve selected EMM in the Basic info section, the following Standard settings are optional features you can add to your profile to customize what devices can do during and after enrollment.

DPC extras

Your EMM provider may require you to specify custom JSON configurations for the Device Policy Controller (DPC) app during enrollment.

For example, if you’re using Knox Manage as your EMM provider, your JSON data entry may look like this:

{
"tenantId": "knoxteam.samsung.com",
"tenantType": "M"
}

To configure additional parameters to automatically enroll the device in a particular mode, your JSON data entry may look like this:

{
"tenantId": "knoxteam.samsung.com",
"AllowModifyUserId": "Disallow",
"Mode": "DO"
}

Consult your EMM provider to obtain the required configurations as the format may differ.

QR code enrollment

You can use a QR code to enroll your devices into an EMM. This feature is supported on devices running Android 10 or higher.

This feature is supported for EMMs only. If you’re using a QR code for an enrollment profile that’s set up to enroll devices into an EMM, along with Knox E-FOTA or Knox Asset Intelligence, the devices are enrolled into only the EMM. To enroll in Knox cloud services, use OOBE enrollment instead.

To allow device users to enroll into an EMM using a QR code, configure the following settings:

  1. Select Add QR code.

  2. You can Also allow QR enrollment for devices not uploaded by a reseller.

  3. Under Wi-Fi network configuration, select one of the following:

    • Don’t add Wi-Fi network credentials to QR code — Create a QR code with no network credential data. Device users must manually connect to Wi-Fi.
    • Add Wi-Fi network credentials to QR code — Add security data and proxy traffic gateway information to the QR code.
      • Use device MAC address — Include the factory-encoded hardware MAC address within the QR code’s Wi-Fi MAC address. Wi-Fi settings in the QR code take priority over those associated with the device in the profile, since you first need to connect to Wi-Fi through the QR code before downloading the profile information associated with the device.
      • W-Fi network is hidden — Enables the QR code to connect the device to a Wi-Fi access point with a hidden SSID. You can still view and print the SSID in read-only mode. Disabled by default.
      • Enter a SSID Name for the Wi-Fi network.
      • Select a Security protocol to protect the Wi-Fi network. You can select between None, WEP, or WPA/WPA2.
        • If you select WEP or WPA/WPA2, enter an optional password. WEP provides a somewhat effective passphrase, while WPA/WPA2 is a more secure passphrase using harder to crack protocols.
        • Selecting None provides no Wi-Fi network security data within the generated QR code, and is not recommended for private networks.

  4. Once all of the required fields are filled, click ADD to generate the QR code. To save the QR code for future use, select Download or Print.

System apps

System apps are pre-installed on a device as part of the operating system. Select whether device users can access these apps upon enrollment.

  • Disable system apps — Hide pre-installed apps upon enrollment. When you enable this option, only certain default system apps (My Files, Contacts, and Play Store) will be available in the app list. These apps can’t be installed or removed by the device user.
  • Enable system apps — Allow device users to access pre-installed apps upon enrollment.

When using Knox Mobile Enrollment with Knox Configure, enabling system apps may lead to conflicts with the Knox Configure profile.

Enrollment screens

Enrollment screens are a series of steps device users follow to set up a device. You can choose to:

Setting Description Supported systems
Show the Android Enterprise setup disclaimer screen before EMM enrollment Displays a screen warning the user that the phone is being enrolled in Android Enterprise. Android 12 and higher
Show additional setup screens after EMM enrollment Displays additional setup screens. This setting is enabled by default. If disabled, Google Services setup screens are hidden for device users. Available on fully managed devices (Android 13 and 14), and on managed devices with a work profile (Android 14). Always shown on Android 15 and higher.

Privacy Policy

You can add up to three of your organization’s legal agreements to display to device users during device enrollment.

Click Add legal agreement, provide information in the Agreement Title and Agreement Text fields, and click Add.

Root or intermediate certificate

You can select a root or intermediate certificate to install on devices during device enrollment.

Click Select to browse to and upload a certificate file in one of the following formats: CER, PEM, CRT, DER, or a CA-bundle.

This feature is available on devices running Android 9 or higher.

DualDAR

The Samsung Knox DualDAR solution provides two separate layers of encryption and key generation.

To double-encrypt your device’s data:

  1. Select Enable DualDAR, then click Enable to confirm you have a Knox Platform for Enterprise DualDAR license. If you don’t have a license, but would like to use DualDAR, contact your reseller.
  2. To allow an independent third-party to install a separate cryptographic module, select Use 3rd party crypto application, then click ADD PACKAGE AND SIGNATURE, provide the Package Name, Package URL, and Signature of the 3rd party crypto app, and click Save.

Advanced settings

You can enable Advanced settings to include optional features, such as device lock or app installation during enrollment.

A Knox Suite - Enterprise Plan is required to use advanced settings.

Review

The final step is to review your profile to ensure all information is correct. To edit a section, click a section title on the left navigation pane.

Once you are ready to proceed:

  • Click Create profile to create a profile, but skip profile assignment. Select this option if you wish to assign profiles to devices at a later date, or plan on using QR code enrollment.
  • Click Create and assign to assign the newly created profile to your devices.

Your newly created profile displays in enrollment profiles list.

On this page

Is this page helpful?