How to easily enroll Android Corporate with Work profile devices with Microsoft Intune and Samsung Knox ME

Since last year Microsoft Intune supports Android Enterprise corporate-owned devices with a work profile, also known as Corporate-owned, personally enabled (COPE) devices (at the moment of writing still in preview in Intune). This is the equivalent of the personally owned devices with work profile for the BYOD scenario, but this management option is for corporate-owned devices. The full device is managed with Intune, but personal and corporate apps and data are separated.

Android COPE with Intune can be combined with Samsung Knox Mobile Enrollment (KME) for easy deployment of the corporate-owned devices. With Samsung KME, vendors register the purchased Android devices in the Samsung portal. Here the IT admin creates an MDM profile, in this case for Intune, and assigns the profile to the devices. When the user starts the device out of the box, it checks in to the Samsung services, receives the settings to enroll the device in the MDM, and starts an easy enrollment process.

In this article, I describe how the configuration is done with Microsoft Intune and Samsung Knox. And we also have a look at the end-experience.

Registration of a device can also be done manually as I described in this previous article.

In this article, I only describe the enrollment part for Android COPE. If you want to read a more in-depth article on COPE, read this article.

Create COPE enrollment profile

For this article, I assume you have already connected your Google Play account with Microsoft Intune.

We first create an Android COPE enrollment profile, to get an enrollment token, which we need later in our Samsung KME enrollment profile.

• Sign-in to the Endpoint Manager admin center
• Browse to Devices – Android
• Browse to Android enrollment
• Click on Corporate-owned devices with work profile

• Click Create profile

• Give the enrollment profile a Name
• Enter a Description(Optional)
• Click Next

• Review the information
• Click Create

Open the Token tab after the profile is created.
The token we find here is needed later when we create the MDM profile in the Samsung portal.

Setup Samsung Knox Mobile Enrollment

To use Samsung Knox Mobile Enrollment we need to create an account, this can be done on this site.

Sign-in to the Samsung Knox portal.
There are several Knox solutions, but we are now interested in Knox Mobile Enrollment.
Click Launch under KME.

1. Check I have read and agree…
2. Click Submit application

Now the waiting starts to get your account approved. It might take a couple of hours before your account is approved and sometimes it even might takes days.

When registration is finished, sign-in again to the Knox portal. When you launch the KME portal, answer the question to get started.

• Browse to the MDM Profiles tab
• Click Create profile on the right

• Select Android Enterprise as profile type

1. Give the enrollment profile a Name
2. Give the profile a Description (optional)
3. Choose Force Device Owner enrollment
4. Pick Microsoft Intune as MDM provider
5. The MDM Agent APK URL is pre-filled
6. Click Continue

• Enter this custom JSON

{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"Enter Intune enrollment token string"}

Replace Enter Intune enrollment token string with the token from the Android COPE profile as created in Intune.

• Make your choice for the System applications
• Enter the Company Name
• Click Create

If you want your vendor (reseller) to register your Samsung devices in Knox, this can be done on the Reseller tab.
When you register a reseller, you can also assign a default profile to these registered devices.

Everything is in-place to start our first enrollment.

End-user experience

Enrollment with Samsung Knox Mobile Enrollment is done out of the box or after a factory reset. As soon as an internet connection is detected, the Knox Enrollment Service is updated.

Click Accept & Continue.

The enrollment is started.

The user is informed the device isn’t private.
Click Next.

A Work profile is created.

Click Done.

Enter your username and password for authentication.

Setting up device….

The following screens might differ, based on (compliance) settings applied to the device.

First, we need to set a screen lock.
Click Set up.

Enter a PIN code as screen lock.

Next, we need to enable secure startup for device encryption.
Click Start.

Select Secure startup.

Select Require PIN when device turns on.
Click Apply.

Next, the work apps are installed.
Click Install.

When the apps are installed, click Next.

Time to register the device.
Click Set up.

Click Sign in.

Enter your password and click Sign in.

Click Register.

Click Done.

To set up the personal section of the device, for example to install apps, you’re asked to provide a personal (Gmail) account.
Click Next.

Provide your account details, create a personal account or skip adding a personal account.

The enrollment is finished!

We have a personal section on the device, with personal apps and data.

And we have a work section, with our work apps and data.

In the Work section, we find the Intune app. Here you find your device, with compliance state.

That’s it for this post. Thanks for reading!