I wrote a blog post a week ago about the Apple’s DEP program and how to use it with Microsoft Intune. In the second part of the Mobile Device Automatic enrollment blog series, I focus on Samsung’s KME program.

Samsung’s KME program is pretty much the same than the DEP on Apple world. It will help end-user’s enrollment process in a significant way. Currently there is a big step evolving in Android device management. Android Enterprise (previously known as Android for Work) is going to be the mandatory management method, because Google is dropping out the support of Device Admin in Android Q that will be published in 2019.

Every enterprise mobility management solution must implement the Android Enterprise solutions much more quickly than the vendors have maybe thought. There are several methods to implement Android Enterprise for Samsung devices and Intune supports all of methods. I’m not now going through those methods more closely, but you can manage couple of these methdos through the KME program, so select the right implementation for your scenario. Methods are:

  • Personally-enabled devices: End-users can run private applications normally on device, but all work applications are on work-profile that is managed by company This method is not supported at all by KME!!!
  • Corporate-owned dedicated device: Locked down kiosk-mode devices that run one or more applications only
  • Corporate-owned fully managed user devices: Only work mode enabled, personal side not available at all.

Ensure that KME is available in your region. There are only selected countries where you can use it.

You should also look for supported devices for Samsung KME that you don’t implement KME just for fun. Find a list of supported devices here.

Applying to KME program

To get started fill this form on Samsung’s website. (Link is for Europe-area, for other regions, select Apply now from KME website).
When filling the form, remember to use general e-mail address for example intune.kme@bloggerz.cloud (of course you have to create the e-mail first). This is the first account for your KME and you can’t change it later. If you leave the company, KME is still available for later usage without your personal e-mail.

After filling the KME form, Samsung will confirm your company and send you an e-mail to address that you have given in the registration. In the e-mail you have a link to complete the registration process. When you can sign-in it’s only configuring the KME.

Apply for Managed Google Play

Create a new google account for your company e.g. intune.google@bloggerz.cloud. After that go to Intune Android Device Enrollment page and select Launch Google to connect now. Follow the wizard to create Managed Google Play account. After this you are able to continue towards the Android Enterprise configurations.

After you have Managed Google Play -account, approve Intune Company Portal and its updates from Google Play work-store for your environment.

From Intune in Device enrollment restrictions, create a new restriction policy for your pilot group to enable Work profile enrollment. If you enable the restriction to default policy, it will override your Android Device Admin-setting on devices that are capable for Android Enterprise. That is a reason why to create own policy for it.

Select Android Enterprise methods

Before you configure the integration you have to know what do you want to achieve. Select methods that you want use for your end-devices. I won’t go anymore through here the configuration of KME to device admin, because it’s deprecated and will not work anymore in Android Q in 2019. I know that many organizations want to use still Device Admin management method, but you just have to take the step towards the Android Enterprise – sooner or later. Now it’s a good time for it!

Personally-enabled devices

As mentioned earlier, this scenario is not supported by KME. End user must download the Company Portal manually and enroll it to the work profile by hand. This enrollment type is planned for devices that shares personal and work applications in the same device.

Corporate-owned dedicated device

Corporate owned dedicated device (locked kiosk-mode device) can be enrolled to Intune management automatically with KME-enrollment process. In the Intune select Android enrollment and Corporate-owned dedicated devices. Create a profile for enrollment and open it and select Token and Show token.


Copy the token text for later usage. I will show how to get a token now from Corporate owned, fully managed user devices. After that paragraph we will continue with this method also, because the steps are same.

Corporate-owned fully managed user devices

Corporate owned fully managed user devices can be enrolled to Intune management automatically with KME-enrollment process. In the Intune select Android enrollment and Corporate-owned fully managed user devices. Select Allow users to enroll corporate-owned user devices: Yes and copy the Enrollment token that appears on the screen.

Configuring KME portal

To configure KME portal, you should create a profile under KME console (link to EU based site). This post has been written in March 2019, so if something is not working, please consult Microsoft’s documentation of Knox Mobile Enrollment.

Select Actions and Add. Do not add Server URI for Intune purposes at all when the profile wizard asks it.

Enter name of your profile and description. Also fill your support contact details

For MDM Agent APK write next URI: https://aka.ms/intune_kme_deviceowner

Select Enable this app as a Google Device Owner and select Microsoft Intune from the list. Enter next JSON-data to Custom JSON Data -field. Remember to replace your token that you created in Intune between the two last quotation marks.

{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "ENTER YOUR TOKEN HERE"}

Change the default profile for your reseller under resellers-page. You can also add a new reseller from here by adding their KME reseller ID to the list. Remember to choose if you want to enable automatic approval for all devices that the specific reseller uploads to your portal.

Now you can give your Knox Customer ID to your reseller. You find the Knox Customer ID also from the Resellers -page. After your reseller confirms the KME configuration, you can test the process by ordering a brand new Samsung phone straight from your own reseller.

Knox Deployment Application

For testing purposes you can also use Knox Deployment Application to enroll Samsung Devices to the KME-portal. Download the Knox Deployment Application from Google Play -store to your Android device and log on to it with your Samsung account attached to the KME-portal. You have several ways and easy wizards to proof the KME concept without adding any resellers to your environment.

Summary

KME is Samsung’s enrollment program that helps the admin to achieve easier and managed enrollment process with Samsung phones. Enrollment program works perfectly with Intune and supports two different kind of enrollment scenarios. Samsung’s KME is free and you can start using it almost immediately if you want. If you are not sure – test it. Remember to ensure from your reseller that they are KME approved reseller for Samsung phones.

Find also my other posts about Mobile Device Automatic Enrollment:


Markus Lintuala

I have worked most of my career on traditional infrastructure management side with enterprise architectures, workstation and server management. When Microsoft published the first IaaS-services on Azure I started my journey towards the cloud on productivity as well as on platform side. I like to work often with the newest technologies; currently specially in Microsoft 365 identity, security, device management and end-user experience area.

0 Comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.