Samsung Knox Enroll with Azure Intune MDM – Part 1

Salaam, Namaste, Ola and Hello!

On this weeks ‘IamITGeek’ blog series I will be taking a in-depth look at Samsung Knox Enroll and how it integrates with Azure Intune to enroll & manage Samsung devices, as well as some of the cool ways in which you can utilize Azure Intune to deploy applications and security profiles to your mobile devices.

Samsung Knox Enroll: Samsung have a number of different services within the Knox suite including Knox Configure which allows you to configure profiles for devices and Knox Manage which is there full MDM solution. As with most third party MDM solutions they have a cost associated with them, however for existing Microsoft Intune customers you can utilize Knox Enroll which is a free service that allows you to automate the enrollment of Samsung (Android devices) into the Azure Intune MDM platform.

Before I used Knox Enroll, my previous experience with enrolling devices into Intune was manual and included having to download the Corporate Intune app from play store. In this blog i will take you through the integration of Samsung Knox Enroll with Intune which removes this obstacle, as well as how to deploy applications and security profiles to the devices from Intune once they are enrolled (In part two of this series).

Before you can configure the integration between Knox Enroll and Intune you need to first signup to Samsung Knox which is a relatively straight forward process. The only slight frustrating part of this is that you have to apply for the Enroll service which can take 2-3 days to go through. Once you are past that you are into the dashboard.

As you can see from the image above once in the Dashboard you can start to access a number of services, some of which I mentioned earlier. Once in the Knox Mobile Enrollment Console you need to create an MDM profile. In this section we are basically configuring the integration with Intune which will allow for the auto enrollment into the MDM.

At this point I found the documentation available around configuring Knox Enroll profile with Intune was very poor and it took a lot of searching around various articles to find the correct information. After some trial and error the following fields were required to get the integration to work:

• Profile name
• Support Contact Details
• MDM agent APK

The Profile name and support contact are very self explanatory, but the key is the MDM agent APK. This basically points Samsung Knox Enroll to the apk file for Azure Intune in the app store, which means the end user does not have to manually download it. At this point the slight confusion for me was not having to use the MDM uri, and looking for this originally did waste a lot of time. As I mentioned there does not seem to be much in technical documentation around how to set this up, where as there is a lot of information around an overview of the product and integration.

You will now need to add your device into the Samsung Knox portal. There are two methods around this:

• Get a reseller to bulk add devices
• Add a single device via Bluetooth

There is a section within the Admin console you can add a reseller which will then allow them to bulk add devices to your Samsung Knox portal. This method is more relevant if you are doing a mass roll out, however for the purpose of this blog I used the Bluetooth method which was straight forward and done via KDA (Knox Deployment App). This is a free download via the play store, however you need to make sure the following are in place before you can use this feature:

• Must have a Samsung Knox Enroll login
• Devices must support NFC or Bluetooth
• Must have at least one profile configured in Samsung Knox Enroll

Once the device is added to the portal you can assign it the relevant profile which will then allow the enrollment into Intune process start. From a user perspective/experience, when they power on there device they will see a splash page which will show the support details we configured in the MDM profile earlier as well as a login prompt where they will need to use there Corporate Email details (Office 365/Azure) which will then add the device into the Intune MDM where the device will start to download any apps and security profiles configured within Azure.

That is it for part one folks, keep an eye out for part two where I will discuss some of the features around app deployment and security profiles within Intune that can be deployed to Samsung phones and how to do this. Until next time, ‘IamITGeek’ over and out!