Knox Mobile Enrollment with Intune: Streamlining Android Device Provisioning

Manual Android device setup is time-consuming, inconsistent, and difficult to scale—especially for IT teams managing large fleets. To solve this, organizations are turning to Knox Mobile Enrollment (KME) and Microsoft Intune, a powerful combination that enables seamless, zero-touch enrollment and centralized Android device management. KME allows Samsung devices to be pre-configured so they automatically enroll into Intune during setup, eliminating the need for user intervention and reducing provisioning time. In this guide, you’ll learn how to integrate KME with Intune and deploy Android devices efficiently using modern device provisioning practices.

Step-by-Step Guide: Setting Up KME with Intune

Setting up Knox Mobile Enrollment (KME)with Microsoft Intune involves a few one-time configurations that enable a streamlined, zero-touch enrollment experience for your Samsung Android devices. Follow these steps to get started:

Step 1: Prerequisites

Before beginning the integration, make surey ou have the following:

• A Samsung Knox account (you can create one at Samsung Knox)

• An active Microsoft Intune subscription

• Samsung devices that support Knox Mobile Enrollment (typically devices running     Android 9.0+ and purchased from authorizedresellers)

• To use Samsung Knox Mobile Enrollment (KME), devices need to be registered in the KME portal—ideally by purchasing them through a participating reseller who uploads them automatically. If that's not possible, you can request Samsung Support to manually add a limited number of test devices via their support channel.

‍

Check Samsung's device list to verify compatibility of your device with Knox Mobile Enrollment

Step 2: Creating an Enrollment Profile in Intune

Before you link Knox Mobile Enrollment (KME) with Intune, you first need to create an enrollment profile within the Intune Admin Center. This profile defines how corporate-owned Samsung Android devices will be provisioned.

‍

1. Go to the Microsoft Intune admin center.

2. Navigate to Devices >Android > Android enrollment.

3. Select Corporate-owned, fullymanaged user devices or Corporate-owned devices with work profile, depending onyour organization’s needs. We will use Corporate-owned devices with workprofile:  

‍

‍

4. Click + Create profile and give it a recognizable name.

5. For Token Type you have two options namely: 1. corporate-owned devices with work profile (default) and 2. corporate-owned devices with work profile, via staging. For now we use the default but in a later post I will show the staging method. It is a nice way to pre-provision a device for your users in case you do the enrollment for them.

6. The ‘Device name template’ is pretty extended compared to other OS types. You can find the variables here that you can use.

‍

‍

7. Next in the Device group section, you can add and Enrollment Time Groups. Enrollment Time Groups ensure that a device is assigned to a designated Entra group as early as possible—right when it’s first recognized by Intune, even before user authentication. This enables device-targeted apps, configurations, and policies to be delivered faster and more efficiently, streamlining the provisioning experience. (in a later blogpost we will discuss how to create this)

8. If needed add Scope tags, Review your settings and create the profile

9. Now open the profile and copy the token code, you need this to connect KME to to this particular enrollment (as you will see below)

‍

‍

Step 3: Linking KME to Intune

To enable seamless provisioning of Samsung devices, you’ll need to link Knox Mobile Enrollment (KME) with Microsoft Intune. This ensures that any device enrolled via KME is automatically configured with your Intune policies.

Start by signing in to the Samsung Knox portal. Navigate to Knox Mobile Enrollment and go to the Profiles section. From here:

1. Create a new MDM profile.

‍

2. Give at minimum the profile a name and provide the Company name, it's best if you fill in as much as possible, end users can use this information.

‍

‍

3. Next provide the EMM (MDM) information. We select 'Intune' and the URL will be filled in (this is where the device can get the Intune MDM application). The rest of the fields needs to be kept off

‍

‍

4. For DPC extra we need to provide the Token code as aquired in the previous step (in the Enrollment profile in Intune):
   
   ‍{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"enter Intune enrollment token string"}

‍

‍

5. Preferably disable system apps to reduce clutter in the work profile and ensure users only see the apps they need for work—needed system apps can always be added later through this system app deployment in Intune.

6. The setting 'Skip Additional Setup Screens After EMM Enrollment' streamlines the enrollment experience by removing Google's post-setup screens—such as Terms of Service, privacy preferences, and backup options—after the device has been enrolled into Intune via KME. By skipping these screens, devices transition more quickly and seamlessly into a fully managed state, ensuring a zero-touch experience with no unnecessary user interaction. Consider whether you want your end users to go through these setup screens during the initial enrollment or leave them accessible later via device settings. Think about if you like the user sees a standard disclaimer about the fact they are enrolling there device for Android Enterprise use.

‍

‍

7. Decide whether you want your users to agree to a Privacy Policy, EULAs, or Terms of Service, and whether you want your devices to be provisioned with a Root and/or Intermediate certificate, for example, from your internal network.

‍

For now skip Dual DAR and Advanced settings in later blog posts we will dive into these settings and what it can do for you.

‍

Common Challenges and Troubleshooting

Managing devices through Samsung Knox Mobile Enrollment (KME) and Microsoft Intune can streamline enterprise device deployment, but administrators may encounter several common challenges. Understanding these issues and their solutions helps maintain a smooth enrollment and management process.

Enrollment Failures

Enrollment failures in KME or Intune can occur due to incorrect device information, network restrictions, or misconfigured enrollment profiles. For KME, ensure devices are properly registered in the Knox portal with accurate serial numbers or IMEIs. For Intune, verify that the enrollment profile is correctly assigned and that devices have reliable internet connectivity during enrollment. Checking device logs and reviewing error messages often provides clues to specific enrollment errors.

Device Compliance Problems

Devices may report non-compliance in Intune due to outdated policies, conflicting configurations, or device settings that do not meet organizational standards. Administrators should review compliance policies within Intune, verify that certificates (such as Root or Intermediate) are properly installed, and ensure devices are correctly enrolled and updated. Remediating non-compliant devices might include pushing policy updates, enforcing device resets, or troubleshooting specific compliance errors.

Where to Find Help

For deeper troubleshooting, Samsung’s KME Admin guide and Microsoft Intune documentation are excellent starting points.

‍

Conclusion

Integrating Samsung Knox Mobile Enrollment (KME) with Microsoft Intune offers a powerful solution to streamline device deployment and simplify enterprise mobility management 📱. By automating enrollment and configuration, organizations can save time, reduce errors, and ensure consistent device compliance across their fleet.

If you haven’t already, consider implementing this integration to enhance your device management strategy and improve operational efficiency. We’d love to hear your experiences, questions, or any challenges you’ve faced.

‍