Guide
🇬🇧 UK Focus 📅 Loading…
Getting Started Intermediate ⏱ 12 min

Samsung Knox for Android Enterprise — Complete Setup

Samsung Knox adds enterprise-grade security on top of standard Android Enterprise. This guide covers the full setup from Knox licence registration to policy deployment via Intune.

Covers: knox intune

Knox Licensing Options

Samsung offers several Knox products. For Intune-managed environments, Knox Platform for Enterprise (KPE) is the add-on that unlocks advanced controls within your existing MDM. Knox Suite bundles KPE, Knox Configure, and Knox E-FOTA.

💡
  • KPE can be purchased from Samsung Knox Portal and integrated with Intune — no need to switch MDMs
  • Knox E-FOTA gives you control over firmware updates — essential for preventing unexpected OS upgrades in production environments
  • Knox Configure allows device pre-configuration before devices reach users

Setting Up Knox Platform for Enterprise with Intune

  1. Purchase KPE licences from Samsung Knox Portal (knox.samsung.com)
  2. In Knox Portal: Knox Suite → Licences → Generate licence key
  3. In Intune: Devices → Android → Android enrolment → Samsung Knox Mobile Enrolment
  4. Add the KPE licence key to Intune under Device Configuration → OEMConfig
  5. Deploy a Samsung Knox OEMConfig profile to your Samsung device groups
  6. Verify Knox features are enabled by checking the device in Knox Portal

Essential Knox Policies via Intune

Once KPE is active, you can push Samsung-specific policies that go beyond standard Android Enterprise.

💡
  • Disable USB data transfer while allowing charging — protects against data exfiltration via USB
  • Enable real-time kernel protection (RKP) — hardware-level protection against kernel exploits
  • Configure Knox Container (Dual Data at Rest) for devices handling highly sensitive data
  • Use Knox E-FOTA policy to schedule firmware updates during maintenance windows only

Fully Managed vs Work Profile

Choose your enrolment mode carefully — it affects the user experience and your management capabilities.

💡
  • Fully Managed (COBO): IT owns everything on the device. Best for dedicated devices, kiosks, field workers.
  • Work Profile (BYOD): Personal and work apps are separated. Users keep personal data private.
  • Corporate-Owned Work Profile (COPE): Company owns device but maintains work/personal separation.
  • Use Knox Configure for zero-touch provisioning of fully managed devices in bulk deployments.