Sign in to the Samsung KNOX console → KNOX Mobile Enrollment.
Select the MDM profiles section.
Click Add.
The New KNOX MDM Profile Wizard starts.
At the MDM server connection step, select Server URI is not required for my MDM service and click Next.
At the MDM profile info step:
1. Enter general information about the KNOX MDM profile: Profile name and Description.
2. Click the Add MDM apps button and enter the path to the APK installation file.
  The installation file for Kaspersky Endpoint Security for Android is included in the Kaspersky Secure Mobility Management distribution kit. Beforehand, place the APK installation file on the Kaspersky Security Center Web Server or on another server that is accessible for downloading from the device.
3. Enter the settings for connecting the device to Kaspersky Security Center in the JSON user data field in the following format: {"serverAddress":"ksc.server.com","serverPort":"12345","groupName":"MOBILE GROUP"}.
  The device must be connected to Kaspersky Security Center to activate the app, configure the device, and send commands.
4. Select the Add Knox agreements check box.
  To install Kaspersky Endpoint Security for Android via KNOX Mobile Enrollment, the mobile device user must accept the terms of the Samsung License Agreement. You can view the terms of the Samsung License Agreement in the section named End User License Agreements, Terms of Service, and User Agreements. You can also add other legal documents of your company that are necessary for deploying a KNOX MDM profile by clicking the Add user agreement button.
5. Clear the Bind Knox license to this profile check box.
  Samsung KNOX license information is delivered to the mobile device together with the policy when the device is synchronized with Kaspersky Security Center.
Click the Save button.

As a result, the new KNOX MDM profile with the Kaspersky Endpoint Security for Android app will be added to the list in the KME console.

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding devices in KNOX Mobile Enrollment

Devices can be added in the KNOX Mobile Enrollment (KME) console in the following ways:

The vendor automatically adds devices in the KME console after the devices are purchased.
Select this method if your organization is working with an official vendor of Samsung devices.
The administrator installs the KNOX Deployment app from Google Play on their mobile device and migrates the KNOX MDM profile to users' devices using Bluetooth, NFC (Near Field Communication), or a QR code. After deployment of the KNOX MDM profile, the device will be automatically added in the KME console.
Select this method if the Samsung devices were not purchased from an official vendor.

Adding a device through the vendor

An official vendor of Samsung devices is registered in Samsung KNOX. For the list of official vendors, visit the Samsung technical support website. The vendor automatically adds devices in the KME console for your Samsung account immediately after the devices are purchased. To have the devices added by the vendor, you must register the vendor in the KME console for your Samsung account. You will need a reseller ID to add the vendor of Samsung devices in the KME console. To receive the reseller ID, you must send a request to the vendor. In the request, specify your KNOX client ID.

To view your KNOX client ID:

Sign in to the Samsung KNOX console → KNOX Mobile Enrollment.
Select the Resellers section.
Your ID is displayed in the KNOX client ID field.

After you receive a response from the vendor with the reseller ID, register the vendor in the KME console. Prior to registering the vendor, you can create a KNOX MDM profile so that the profile can be automatically deployed when adding new devices.

To register an official vendor in the KME console:

Sign in to the Samsung KNOX console → KNOX Mobile Enrollment.
Select the Resellers section.
Click the Register reseller button.
This opens a window for registering the device vendor.
In the Reseller ID field, enter the ID received from the official vendor of Samsung devices.
If you created a KNOX MDM profile, select the KNOX MDM profile in the vendor registration window.
When you add new devices, the KNOX MDM profile is automatically installed.
In the Preferred download confirmation method list, select a method for confirming the addition of a device for a vendor.
- All downloads must be confirmed. When a device is added by the vendor, you will need to confirm the operation.
- Automatically confirm all downloads of this reseller. Devices of the vendor will be automatically added in the KME console.
Click OK.

The vendor of Samsung devices will be added to the list of vendors in the KME console.

After new devices are purchased from the official vendor, the Kaspersky Endpoint Security for Android app will be automatically installed to the devices after the devices are connected to the internet. For more details about working with KNOX Mobile Enrollment, please refer to the KNOX Mobile Enrollment User Guide. If you already have a list of devices in the KME console, add the KNOX MDM profile with the KNOX MDM app to the device.

To deliver a KNOX MDM profile to devices:

Sign in to the Samsung KNOX console → KNOX Mobile Enrollment.
Select Devices → All devices.
Select the devices on which you want to install the KNOX MDM profile.
Click the Configure button.
The Device info window opens.
In the MDM profile list, select the KNOX MDM profile with the Kaspersky Endpoint Security for Android app.
In the Tags field, enter tags for grouping and labeling devices, and for search optimization in the KME console.
Enter the user account credentials of the device into the User ID and Password fields.
Account credentials are required for receiving a mobile certificate. The user ID and password must match the user account credentials in Kaspersky Security Center (Full name and Password in user account properties).
Select the KNOX MDM profile for the remaining devices.
Click the Save button.

After the device is connected to the internet, the user will be prompted to install the KNOX MDM profile.

Adding a device through the KNOX Deployment app

If you did not purchase your Samsung device from an official vendor, you can add the device to KNOX Mobile Enrollment using Bluetooth, NFC, or a QR code. This will require the administrator's mobile device that will be used to deliver KNOX MDM profiles to users' mobile devices.

To add devices using the KNOX Deployment app, the following conditions must be met:

Depending on the selected delivery mode, Bluetooth or NFC modules must be enabled on the mobile devices.
The mobile devices must be connected to the internet.

To deliver a KNOX MDM profile using the KNOX Deployment app:

Install the KNOX Deployment app from Google Play on the administrator's mobile device.
Start the KNOX Deployment app.
Enter your Samsung account credentials.
In the KNOX Deployment window, configure the settings for deploying a KNOX MDM profile:
- Select the KNOX MDM profile.
- Select the deployment mode: Bluetooth or NFC.
  When using Bluetooth, you can add a KNOX MDM profile to several devices at the same time.
Click Start deployment:
- Bluetooth. On the user's mobile device, open the website https://configure.samsungknox.com.
  This starts the Samsung KNOX Device Registration Wizard. Follow the instructions on the screen.
  
  After the KNOX MDM profile is installed, the new device with the Bluetooth tag will be added in the KME console.
- NFC. Bring the administrator's mobile device close to the user's mobile device and transfer the KNOX MDM profile.
  On the user's mobile device, there will be a prompt to install the KNOX MDM profile. The new device with the NFC tag will be added in the KME console.

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing the app

Prior to installing the Kaspersky Endpoint Security for Android app, issue a mobile certificate for mobile device users in the Kaspersky Security Center Administration Console. A mobile certificate is required for identifying the mobile device user in the Kaspersky Security Center Administration Console.

After deployment of the KNOX MDM profile is started, the APK installation file will be automatically downloaded on the mobile device. Installation of the Kaspersky Endpoint Security for Android app is started automatically. The user must accept the Samsung KNOX License Agreement and the Kaspersky Endpoint Security for Android License Agreement. No additional configuration of the app is required. After the app is installed, synchronization with Kaspersky Security Center will be performed automatically. The mobile device will be added to the Kaspersky Security Center Administration Console to the administration group specified in the KNOX MDM profile settings (groupName).

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring KNOX containers

This section contains information about working with KNOX containers on Samsung devices running Android.

Use of KNOX containers is available only on Samsung devices running Android version 6 or later.

In this section

About KNOX containers

Activating Samsung KNOX

Configuring Firewall in KNOX

Configuring an Exchange mailbox in KNOX

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About KNOX containers

A KNOX container is a safe environment on a user's device that has its own desktop, launch panel, apps, and widgets. A KNOX container lets you isolate corporate apps and data from personal apps and data. A KNOX container is a component of the Samsung KNOX mobile solution.

Samsung KNOX is a mobile solution for configuring and protecting Samsung mobile devices running the Android operating system. For more details about Samsung KNOX, please visit the Samsung technical support website.

KNOX containers let you separate personal and corporate data on a mobile device. For example, it is impossible to use a personal mailbox to send a file that is located in a KNOX container. It is recommended to deploy a KNOX container if personal mobile devices of employees are used for working with corporate data.

To use KNOX containers, you must activate Samsung KNOX. After synchronizing a device with Kaspersky Security Center, the user of the mobile device will be prompted to install the KNOX container. Before installing the KNOX container, the user must accept the terms of the End User License Agreement from Samsung.

After installing the KNOX container, the KNOX icon KSM_knox_icon will be added to the desktop of the mobile device. Or the workspace will be added to the app list on the mobile device. To work with corporate data, the user needs to start the app from KNOX container.

Kaspersky Endpoint Security for Android is not installed to the KNOX container and does not protect corporate data. Kaspersky Endpoint Security for Android does not detect the downloading of malicious files and block malicious sites in the KNOX container. You cannot control app launch or prohibit the use of the camera in the KNOX container. Kaspersky Endpoint Security for Android protects private data only. You can protect corporate data with the Samsung KNOX tools. For more details about Samsung KNOX, please visit the Samsung technical support website.

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Activating Samsung KNOX

To use a KNOX container on the user's mobile device, you must activate Samsung KNOX. The procedure of activating Samsung KNOX depends on the Kaspersky Endpoint Security for Android version installed on your users' devices:

If the current version of Kaspersky Endpoint Security for Android is installed on the devices, you do not need any keys to activate Samsung KNOX.
If an old version Kaspersky Endpoint Security for Android (10.8.3.174 or earlier) is installed on the devices, you need to obtain a KNOX License Manager key (hereinafter referred to as a KLM key) from Samsung. A KNOX License Manager key is a unique code that is used by the Samsung KNOX licensing system. For detailed information about a KLM key, please refer to the Samsung KNOX Technical Support website.

Use of KNOX containers is possible only on Samsung devices.

To activate Samsung KNOX:

In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
In the workspace of the group, select the Policies tab.
Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
In the policy Properties window, select the Manage Samsung KNOX → KNOX containers section.
In the KNOX License Manager key field, specify the following:
- If the current version of Kaspersky Endpoint Security for Android is installed on the devices, type any character.
- If an old version Kaspersky Endpoint Security for Android (10.8.3.174 or earlier) is installed on the devices, enter the KLM key received from Samsung.
Set the Lock attribute in the locked position .
Click the Apply button to save the changes you have made.

Samsung KNOX will be activated after the next device synchronization with Kaspersky Security Center. The user will be prompted to accept the terms of the End User License Agreement from Samsung and install the KNOX container.

To deactivate Samsung KNOX:

In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
In the workspace of the group, select the Policies tab.
Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
In the policy Properties window, select the Manage Samsung KNOX → KNOX containers section.
Clear the KNOX License Manager key field value.
Click the Apply button to save the changes you have made.

Samsung KNOX will be deactivated after the next device synchronization with Kaspersky Security Center. Access to the KNOX container will be blocked.

Samsung KNOX limitations

Use of KNOX containers is available only on Samsung devices.
On Samsung devices that support KNOX 2.6, 2.7 and 2.7.1, Web Protection and App Control do not work in a KNOX container. This issue is related to the lack of required permissions in the KNOX container (Accessibility service). On devices that support KNOX 2.8 or later, all components of the app operate without limitations.
Kaspersky Endpoint Security for Android versions prior to Service Pack 4 Maintenance Release 3 Update 2 may work unstable on Samsung Android 10 devices due to Samsung KNOX updates. It is recommended to update Kaspersky Endpoint Security for Android to Service Pack 4 Maintenance Release 3 Update 2 version.

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Firewall in KNOX

You should configure the Firewall settings to monitor network connections in a KNOX container.

To configure Firewall in a KNOX container:

In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
In the workspace of the group, select the Policies tab.
Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
In the policy Properties window, select the Manage Samsung KNOX → KNOX containers section.
In the Firewall window, click Configure.
The Firewall window opens.
Select the Firewall mode:
- To allow all inbound and outbound connections, move the slider to Allow all.
- To block all network activity except that of apps on the list of exclusions, move the slider up to Block all but exceptions.
If you have set the Firewall mode to Block all but exceptions, create a list of exclusions:
1. Click Add.
  This opens the Exclusion for Firewall window.
2. In the App name field, enter the name of the mobile app.
3. In the Package name field, enter the system name of the mobile app package (for example, com.mobileapp.example).
4. Click OK.
Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring an Exchange mailbox in KNOX

To work with corporate mail, contacts, and the calendar in a KNOX container, you should configure the Exchange mailbox settings (available only on Android 9 and earlier).

To configure an Exchange mailbox in a KNOX container:

In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
In the workspace of the group, select the Policies tab.
Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
In the policy Properties window, select the Manage Samsung KNOX → KNOX containers section.
In the Exchange ActiveSync window, click the Configure button.
The Exchange mail server settings window opens.
In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
In the Domain field, enter the name of the mobile device user's domain on the corporate network.
In the Synchronization interval drop-down list, select the desired interval for mobile device synchronization with the Microsoft Exchange server.
To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
To use digital certificates to protect data transfer between the mobile device and the Microsoft Exchange server, select the Verify server certificate check box.
Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Kaspersky Secure Mobility Management

Contents

Samsung KNOX

Installation of the Kaspersky Endpoint Security for Android app via KNOX Mobile Enrollment

Creating a KNOX MDM profile

Adding devices in KNOX Mobile Enrollment

Installing the app

Configuring KNOX containers

About KNOX containers

Activating Samsung KNOX

Configuring Firewall in KNOX

Configuring an Exchange mailbox in KNOX