I wrote a blog post a week ago about the Apple’s DEP program and how to use it with Microsoft Intune. In the second part of the Mobile Device Automatic enrollment blog series, I focus on Samsung’s KME program.
Samsung’s KME program is pretty much the same than the DEP on Apple world. It will help end-user’s enrollment process in a significant way. Currently there is a big step evolving in Android device management. Android Enterprise (previously known as Android for Work) is going to be the mandatory management method, because Google is dropping out the support of Device Admin in Android Q that will be published in 2019.
Every enterprise mobility management solution must implement the Android Enterprise solutions much more quickly than the vendors have maybe thought. There are several methods to implement Android Enterprise for Samsung devices and Intune supports all of methods. I’m not now going through those methods more closely, but you can manage couple of these methdos through the KME program, so select the right implementation for your scenario. Methods are:
- Personally-enabled devices: End-users can run private applications normally on device, but all work applications are on work-profile that is managed by company This method is not supported at all by KME!!!
- Corporate-owned dedicated device: Locked down kiosk-mode devices that run one or more applications only
- Corporate-owned fully managed user devices: Only work mode enabled, personal side not available at all.
Ensure that KME is available in your region. There are only selected countries where you can use it.
You should also look for supported devices for Samsung KME that you don’t implement KME just for fun. Find a list of supported devices here.
Applying to KME program
To get started fill this form on Samsung’s website. (Link is for Europe-area, for other regions, select Apply now from KME website).
When filling the form, remember to use general e-mail address for example intune.kme@bloggerz.cloud (of course you have to create the e-mail first). This is the first account for your KME and you can’t change it later. If you leave the company, KME is still available for later usage without your personal e-mail.
After filling the KME form, Samsung will confirm your company and send you an e-mail to address that you have given in the registration. In the e-mail you have a link to complete the registration process. When you can sign-in it’s only configuring the KME.
Apply for Managed Google Play
Create a new google account for your company e.g. intune.google@bloggerz.cloud. After that go to Intune Android Device Enrollment page and select Launch Google to connect now. Follow the wizard to create Managed Google Play account. After this you are able to continue towards the Android Enterprise configurations.
After you have Managed Google Play -account, approve Intune Company Portal and its updates from Google Play work-store for your environment.
From Intune in Device enrollment restrictions, create a new restriction policy for your pilot group to enable Work profile enrollment. If you enable the restriction to default policy, it will override your Android Device Admin-setting on devices that are capable for Android Enterprise. That is a reason why to create own policy for it.
Select Android Enterprise methods
Before you configure the integration you have to know what do you want to achieve. Select methods that you want use for your end-devices. I won’t go anymore through here the configuration of KME to device admin, because it’s deprecated and will not work anymore in Android Q in 2019. I know that many organizations want to use still Device Admin management method, but you just have to take the step towards the Android Enterprise – sooner or later. Now it’s a good time for it!
Personally-enabled devices
As mentioned earlier, this scenario is not supported by KME. End user must download the Company Portal manually and enroll it to the work profile by hand. This enrollment type is planned for devices that shares personal and work applications in the same device.
Corporate-owned dedicated device
Corporate owned dedicated device (locked kiosk-mode device) can be enrolled to Intune management automatically with KME-enrollment process. In the Intune select Android enrollment and Corporate-owned dedicated devices. Create a profile for enrollment and open it and select Token and Show token.
Copy the token text for later usage. I will show how to get a token now from Corporate owned, fully managed user devices. After that paragraph we will continue with this method also, because the steps are same.
Corporate-owned fully managed user devices
Corporate owned fully managed user devices can be enrolled to Intune management automatically with KME-enrollment process. In the Intune select Android enrollment and Corporate-owned fully managed user devices. Select Allow users to enroll corporate-owned user devices: Yes and copy the Enrollment token that appears on the screen.
Configuring KME portal
To configure KME portal, you should create a profile under KME console (link to EU based site). This post has been written in March 2019, so if something is not working, please consult Microsoft’s documentation of Knox Mobile Enrollment.
Select Actions and Add. Do not add Server URI for Intune purposes at all when the profile wizard asks it.
Enter name of your profile and description. Also fill your support contact details
For MDM Agent APK write next URI: https://aka.ms/intune_kme_deviceowner
Select Enable this app as a Google Device Owner and select Microsoft Intune from the list. Enter next JSON-data to Custom JSON Data -field. Remember to replace your token that you created in Intune between the two last quotation marks.
{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "ENTER YOUR TOKEN HERE"}
Change the default profile for your reseller under resellers-page. You can also add a new reseller from here by adding their KME reseller ID to the list. Remember to choose if you want to enable automatic approval for all devices that the specific reseller uploads to your portal.
Now you can give your Knox Customer ID to your reseller. You find the Knox Customer ID also from the Resellers -page. After your reseller confirms the KME configuration, you can test the process by ordering a brand new Samsung phone straight from your own reseller.
Knox Deployment Application
For testing purposes you can also use Knox Deployment Application to enroll Samsung Devices to the KME-portal. Download the Knox Deployment Application from Google Play -store to your Android device and log on to it with your Samsung account attached to the KME-portal. You have several ways and easy wizards to proof the KME concept without adding any resellers to your environment.
Summary
KME is Samsung’s enrollment program that helps the admin to achieve easier and managed enrollment process with Samsung phones. Enrollment program works perfectly with Intune and supports two different kind of enrollment scenarios. Samsung’s KME is free and you can start using it almost immediately if you want. If you are not sure – test it. Remember to ensure from your reseller that they are KME approved reseller for Samsung phones.
Find also my other posts about Mobile Device Automatic Enrollment:
9 Comments
LD · 30.10.2019 at 07.16
The only issue with thsi is when you have users who have MFA enabled. You can’t read a text or answer a call so when you’re signing into the app when the device boots ..you’re stuck!
Markus Lintuala · 13.11.2019 at 14.30
That’s true and sad 🙁
But in Microsoft Ignite Azure AD team showed some roadmap where they have something to solve this coming up in the beginning of 2020 🙂 Let’s wait…
Giovanni Perini · 15.11.2019 at 10.54
Do you have some more info on this? Was it in a session that I can look up or do you have any contact information from the Microsoft Program Manager that is working on this?
Thanks for the reply, Giovanni
Markus Lintuala · 19.11.2019 at 20.23
In Azure AD Overview session there was a mention about an account recovery which is on the roadmap. As far as I understood from discussions in the Azure AD booth, there will be a solution to complete multi-factor authentication using one-time password, which will be provided separately. What does this mean then… We just have to wait 🙂
Shamis Ahmed · 10.11.2020 at 20.05
Hi Markus,
Your blog is very helpful! I have a question regarding KME,
We have most of the things setup for KME, just wanted to check if there is any way we can connect devices to wi-fi automatically as soon as we Power On. We have bulk devices to enroll and connecting each one to network initially is what we are looking to automate before it proceeds to auto-enrollment through KME.
Regards,
Shamis
Markus Lintuala · 13.11.2020 at 23.11
Hi Shamis,
There really isn’t a way to pre-provision devices with Microsoft tools before the initial enrollment. There might be way to insert some provision package with KNOX itself, but I think it loses the advantage of KME. I would suggest to use SIM-card installed on device so it can use mobile data if possible and enroll it without Wi-Fi at all.
Patrik Lappalainen · 03.12.2020 at 13.38
Hello Markus,
Have you seen this problem if you connect android 10 device to KME portal using KME QR-code (+ gesture on start-up) OR you enroll device to Intune using Intune QR-code (5 taps on empty screen)
it will delete configuration after reboot. So for an exampe:
1. New Samsung Galaxy Tab A7 device is opened fresh out of box
2. Booted and first thing you have to do is either 5 taps on empty screen to open QR-code reader
for Intune QR-code OR do (+) gesture on start up screen to open KME-enrollmet options.
3. When either of one of these have been done, device asks to select language and region, after region selection it tells to reboot device.
4. After reboot it goes straight to terms of use agreement and KME-enrollment or Intune-enrollment both are gone.
Markus Lintuala · 18.12.2020 at 08.24
Hi Patrik,
In fact I haven’t configured the KME for a while, so unfortunately not. I asked also from couple of my colleagues and they haven’t seen any problems either. Does other OS versions (9 or 11) work?
Patrik Lappalainen · 21.12.2020 at 12.08
Hello,
It seems after creating ticket on KME, they fixed those issues regarding model A7, don’t know if problems exist on other models.