Samsung Knox is active on Galaxy devices out of the box; enterprise features like Knox Configure need setup through the Knox Admin Portal.
The answer to how to enable Knox on Samsung depends entirely on what you’re trying to accomplish. Knox is not a feature you switch on — it is a security platform already running on supported Galaxy devices. For everyday phone owners, enabling Knox means setting up Secure Folder. For IT teams, it means activating enterprise tools like Knox Configure or Knox Mobile Enrollment through the Knox Admin Portal. This article covers both routes with the exact steps each path requires.
What Does “Enable Knox” Actually Mean?
Knox is Samsung’s hardware-backed security platform, baked into Galaxy phones at the firmware level. It cannot be installed or toggled off because it is part of how the device boots and runs. When people say they want to enable Knox, they usually mean one of two things:
- Consumer route — setting up Secure Folder, which uses Knox to create an encrypted sandbox for private files and apps
- Enterprise route — provisioning business services such as Knox Configure, Knox Manage, or Knox Mobile Enrollment through the Knox Admin Portal
Each path uses the same underlying Knox platform but serves a completely different audience. Picking the wrong one is the most common mistake, so knowing which applies to your situation is the first real step.
Enable Secure Folder On Your Galaxy Phone
Secure Folder is the most visible consumer-facing Knox feature. It creates a separate, encrypted space on your phone for photos, documents, and apps that you want to keep private. No admin portal or license is needed.
- Open Settings and tap Biometrics and security
- Tap Secure Folder, then tap Continue
- Sign in with your Samsung account when prompted
- Choose a lock method — pattern, PIN, or password — and tap Confirm
After setup, Secure Folder appears in your app drawer. You can drag apps and files into it to keep them isolated behind the lock screen you just created. This works on most Galaxy phones running Android 7.0 or later and requires no additional licensing.
Enabling Knox On Samsung: What Each Service Actually Does
The table below maps the main Knox services to their purpose, so you can tell at a glance which one matches your situation.
| Feature | Purpose | Who It Is For |
|---|---|---|
| Knox Security Platform | Built-in hardware-backed protection at boot and runtime | Every Galaxy device owner |
| Secure Folder | Encrypted sandbox for personal files and apps | Individual phone users |
| Knox Configure | Remote bulk configuration of devices straight out of the box | Enterprise IT teams |
| Knox Mobile Enrollment | Zero-touch enrollment into an EMM solution like Microsoft Intune | Enterprise IT teams |
| Knox Manage | Full MDM and application management for corporate devices | Enterprise IT teams |
| Knox Workspace | Containerized work profile on a personal device | Enterprise employees with BYOD |
| Galaxy Enterprise Edition | Devices with Knox Suite licenses preloaded at purchase | Businesses buying through Knox resellers |
If your goal is personal privacy, Secure Folder is the only option you need. If you are managing a fleet of company phones, the enterprise services are what you are after — and they all start in the same place: the Knox Admin Portal.
Enable Knox Configure In The Admin Portal
Knox Configure lets IT teams pre-configure devices before users ever turn them on. The service is not enabled by default and must be activated inside the Knox Admin Portal. Samsung’s official documentation lays out the sequence clearly.
Sign in to the Knox Admin Portal and navigate to Settings. Under SHOW/HIDE SERVICES, select KNOX CONFIGURE and click CONFIRM. The service then appears in the left navigation pane. Next, set up a license:
- Click Licenses, then ACTIONS → Get a license
- Choose Knox Configure Setup (Staggered) for setup profiles or Knox Configure Dynamic for dynamic profiles
- Click GENERATE TRIAL LICENSE to begin
Devices must be purchased through a Samsung Knox Reseller. Provide your Knox Customer ID to the reseller so they can upload devices to your console. Once devices appear, go to Devices → UPLOADS, click View, then APPROVE ALL DEVICES or APPROVE individually. Full setup details are available in Samsung’s Knox Configure setup guide.
Gate to watch: Knox Configure only works with compatible devices bought through an approved Knox reseller. Consumer-direct purchases cannot be added to a Configure profile, so verify the purchase channel before planning a rollout.
Set Up Knox Mobile Enrollment With Microsoft Intune
Knox Mobile Enrollment (KME) lets devices enroll into an EMM automatically on first boot. Microsoft Intune is one of the supported EMM solutions, and the integration requires a few specific settings.
Create a profile in the Knox Admin Portal and select Microsoft Intune as your EMM. The Knox portal marks custom JSON data as optional, but Microsoft’s documentation confirms it is required for successful Intune enrollment. The JSON payload looks like this:
{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "enter Intune enrollment token string"}Replace the placeholder with your actual Intune enrollment token string. A QR code for enrollment is optional and can be skipped if you are using the zero-touch method. Without the custom JSON, devices will attempt enrollment but fail silently — the portal will not flag the error, so this step is easy to miss.
Gate to watch: KME requires an active Intune license and devices that have been uploaded by a Knox reseller. Consumer-purchased phones and devices from unauthorized channels cannot be enrolled through KME.
Common Knox Activation Mistakes
Several issues come up repeatedly when setting up Knox services, and most are avoidable once you know where to look.
License activation fails. The Knox console shows enough licenses, but activation still errors out. The most common cause is a mismatch between the license type and the service you are trying to enable. Verify that your console has the correct license type — Knox Manage licenses will not enable Knox Configure, and trial licenses have a limited device count that fills up fast.
Devices do not appear in the portal. If no devices show up after a reseller upload, the Knox Customer ID may not have been shared with the reseller. Provide the Customer ID found under Settings → Knox Customer ID in the Admin Portal, then ask the reseller to re-upload.
Intune enrollment stalls. Devices sit at the enrollment screen and never complete setup. The missing custom JSON with the enrollment token is almost always the cause. Double-check that the JSON key and token string are correct in the Knox profile.
Secure Folder is missing. Some Galaxy devices, particularly older budget models or phones running Android Go, do not include Secure Folder. Check the Galaxy Store for Secure Folder compatibility or use a third-party encrypted folder app as a fallback.
Common Issues And How To Fix Them
| Issue | Likely Cause | Solution |
|---|---|---|
| License activation fails | Insufficient or wrong license type | Verify license count and match type to service |
| Devices not in console | Reseller did not receive Knox Customer ID | Share Customer ID from Settings page |
| Intune enrollment fails | Custom JSON missing or incorrect | Add JSON with enrollment token string |
| Secure Folder unavailable | Device model not supported | Check Galaxy Store for compatibility |
| Portal feature not visible | Service not enabled in SHOW/HIDE SERVICES | Go to Settings and enable the service |
| Profile will not apply | Device not compatible with Knox version | Check Samsung’s device compatibility list |
| QR code enrollment stalls | EMM configuration mismatch | Verify Intune settings and re-sync |
Most activation problems fall into one of these seven categories. The console itself provides limited error detail, so checking these specific causes first saves time compared to retrying the same steps.
Picking The Right Knox Setup Path
Which route you take depends on one question: who owns the device?
- Personal phone: Open Settings, set up Secure Folder, and you are done. No portal, no license, no reseller needed. Knox is already running underneath.
- Company-owned phone: Work through the Knox Admin Portal. Enable Knox Configure or Knox Mobile Enrollment, secure a license, upload devices through an authorized reseller, and push profiles to them.
- BYOD phone: The device owner uses Secure Folder for personal privacy, while the IT team may deploy Knox Workspace or Knox Manage through the portal to create a separate work container. Both can coexist on the same phone.
Start with the simplest option that fits your situation — you can always add enterprise services later if the deployment grows.
References & Sources
- Samsung. “Knox Configure: Get started.” Official step-by-step for enabling and setting up Knox Configure in the Admin Portal.