Table of Contents Go to Bookmark

Configuring policies by device platform

Configuring policies by device platform

Specify the policies for device controls, such as the security policy or application policy. After specifying the policies, you can directly apply the profile to the assigned organization or group.
To add policies to a profile, complete the following steps:
  1. Navigate to Profile.
  1. On the “Profile” page, click the name of the profile to configure policies for.
  • You can also click Save & Set Policy to save the profile information and proceed with configuring the profile details when adding a profile.
  1. On the “Profile Detail” page, click Modify Policy.
  2. Configure the policy details by device platform. Each device platform has different groups of policies.
  3. Click Apply to apply the policy to devices.
  • Click Assign to assign the policy to a group or organization.

Configuring Android Enterprise Policies

Create a profile and register policies for Android Enterprise devices.
Knox Manage supports three types of Android Enterprise: Fully Managed, Work Profile, Fully Managed with Work Profile:
Type
Description
Fully Managed
Controls the whole device.
Work Profile
Controls only designated work areas.
Fully Managed with Work Profile
Controls both the personal and work areas and applies different policies to each of them.
Note
  • The Fully Managed with Work Profile type is only supported by the devices of Android 8.0 (Oreo) or higher version.
  • Some policies support only Samsung Galaxy devices.
You can configure the policies below for Android Enterprise devices. The availability of each policy varies depending on the enrollment type and the OS version.
  • Provides backup and restore settings and other features. Updates the operating system on a device.
  • Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.
  • Configures the security settings, such as the password and lock screen.
  • Configures Kiosk applications on a Kiosk device and controls the device settings.
  • Configures options for application controls such as installation, verification, and permission.
  • Allows the use of GPS or collecting location data from a device.
  • Configures the phone settings, such as airplane mode, the microphone settings, and the cellular network settings.
  • Allows data transfers within the Work Profile or with other devices.
  • Configures the security policy to prevent the unauthorized use of a device after a factory reset.
  • Configures the Wi-Fi settings, such as SSID, security type, and proxy.
  • Configures a VPN (Virtual Private Network) on Android Enterprise devices.
  • Configures the bookmark settings, such as the configuration ID and installation area.
  • Allows using new certificate authority (CA) certificates and configuring the certificate settings.

System

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
User Certificate Settings
Allows the setting of user certificates.
DO/PO: Android 4.3 or higher
Camera
Allows using the camera.
Note
If the device is activated as a Work Profile, the camera function only in the Work Profile will be controlled.
DO: Android 4.0 or higher, Samsung Knox 1.0 or higher
PO: Android 5.0 or higher
Screen capture
Allows use of the screen capture function, which is already set as default.
DO: Samsung Knox 1.0 or higher
PO: Android 5.0 or higher
Account Modification
Allows modification (add/delete) of the accounts added for each application.
  • Disallow: Disallows to add or delete users even if the Add/Delete User policies are allowed.
DO/PO: Android 4.3 or higher
> Account Blacklist
Add a specific account type blacklist that should not be added on the device (Setting> Accounts and backup > Accounts).
Specify the correct account name to block. For instance, enter com.google.android.gm.pop3 for a Gmail (pop3) account.
Note
Here are the account names of the applications that are mainly used:
Application
Package name
Account name
Google Play Service
com.google.android.gms
com.google
Google Play Service
com.google.android.gms
com.google.android.gms.matchstick
Gmail
com.google.android.gm
com.google.android.gm.pop3
Gmail
com.google.android.gm
com.google.android.gm.exchange
Gmail
com.google.android.gm
com.google.android.gm.legacyimap
Samsung Experience Service
com.samsung.android.mobileservice
com.osp.app.signin
Samsung Experience Service
com.samsung.android.mobileservice
com.samsung.android.coreapps
Samsung Experience Service
com.samsung.android.mobileservice
com.samsung.android.mobileservice
Duo
com.google.android.apps.tachyon
com.google.android.apps.tachyon
NAVER
com.nhn.android.search
com.nhn.android.naveraccount
Facebook
com.facebook.katana
com.facebook.auth.login
Outlook
com.microsoft.office.outlook
com.microsoft.office.outlook.USER_ACCOUNT
OneDrive
com.microsoft.skydrive
com.microsoft.skydrive
DO/PO: Android 5.0
VPN Setting
Allows the user to configure the VPN settings on the device.
DO: Android 5.0 or higher
PO: Android 7.0 or higher
Add User
Allows adding the new users on the device.
DO: Android 5.0 or higher
Delete User
Allows deleting the added users.
DO: Android 4.3 or higher
Safe mode
Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications.
DO: Android 6.0 or higher, Samsung Knox 1.0 or higher
Change wallpaper
Allows changing the home and lock screens.
DO: Android 7.0 or higher, Samsung Knox 1.0 or higher
External SD card
Allows using the external SD card.
DO: Android 4.0 or higher, Samsung Knox 1.0 or higher
> Write to external SD card
Allows writing to an external SD card.
Note
If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.
DO: Samsung Knox 1.0 or higher
Factory reset
Allows a device factory rest.
DO: Android 5.0 or higher, Samsung Knox 1.0 or higher
S Beam
Allows using Android Beam which transfers data via NFC.
Note
Android 10 (Q) or higher devices are not supported.
DO: Android 5.0 or higher, Samsung Knox 1.0 or higher
Create Window
Allows a window to be created and launched at the top when users use a multi-window transformed into a pop-up window or a split screen mode on the device.
DO: Android 5.0 or higher
Easter Egg
Allows executing the Easter Egg games on devices with specific actions.
DO: Android 6.0 or higher
Brightness Setting
Allows changing of the screen brightness level.
DO: Android 9.0 or higher
AOD
Allows the always on display feature that displays brief information on the lock screen, such as notifications or time.
DO: Android 9.0 or higher
System Error Screen
Allows an error dialog display function when an application shutdowns abnormally.
DO: Android 9.0 or higher
If compromised OS is detected
Select a measure to take when a compromised OS is detected.
  • Lock device: Locks the device.
  • Lock Email: Locks email use.
  • Factory reset + Initialize SD card: Simultaneously factory resets the user device and the SD card.
  • Factory reset: Resets the user device but not the SD card.
Note
The factory reset (only) function is unsupported in Android 2.0 or lower. To reset the device, select the Factory reset + Initialized SD card option.
DO: Android 1.0 or higher
Set Notifications from an event to On.
Set the device to display a notification when a device control event is applied.
  • User defined: Users can set event notifications on the device from the Settings menu of the Knox Manage Agent.
  • Show notification: Displays the notification when an event for device control is applied.
  • Hide notifications: Hides the notification when an event for device control is applied.
DO: Android 1.0 or higher, Samsung Knox 1.0 or higher
Set Notifications from an event to Off.
Set the device to display a notification when an event for device control is disengaged.
  • User Defined: Users can set event notifications on the device from the Settings menu of the Knox Manage Agent.
  • Show notification: Displays a notification when an event for device control is disengaged.
  • Hide notifications: Hides a notification when an event for device control is disengaged.
DO: Android 1.0 or higher, Samsung Knox 1.0 or higher
Fix Event Notification
Set the removal of notifications from the device Quick panel.
  • User Defined: Users can remove notification on the device from the settings menu of Knox Manage Agent.
  • Disallow to Remove Notification: Users cannot remove notifications on the device Quick Panel.
  • Allow to Remove Notification: Users can remove notifications on the device Quick Panel.
DO: Android 1.0 or higher, Samsung Knox 1.0 or higher
Encryption for storage
Specifies the encryption of the device’s internal storage or the external SD card.
DO: Android 4.1 or higher, Samsung Knox 1.0 or higher
> Storage encryption
Check the checkbox to select the storage to be encrypted.
Note
External SD card encryption is applicable to Samsung Galaxy devices only.
NTP Settings
Allows using the NTP (Network Time Protocol) server. Register this server to sync the server time to a device.
> Server address
Enter the NTP server address.
DO: Samsung Knox 2.5 or higher
> Maximum number of attempts
Set the maximum number of attempts for connecting to the NTP server to retrieve the time information.
The value can be between 0 – 100 attempts.
DO: Samsung Knox 2.5 or higher
> Polling cycles (hr)
Set the cycle to reconnect to the server via NTP.
The value can be between 0 – 8760 hours (8760 hours = 1 year).
DO: Samsung Knox 2.5 or higher
> Short polling cycle (sec)
Set the cycle to re-connect to the NTP server after experiencing a timeout.
The value can be between 0 – 1000 seconds.
DO: Samsung Knox 2.5 or higher
> Timeout (sec)
Set the connection timeout on the NTP server.
The value can be between 0 – 1000 seconds.
DO: Samsung Knox 2.5 or higher
Automatic Date and Time
Allows changing the date and time settings.
DO: Android 5.0 or higher
Select Time Zone
Allows selecting a time zone to apply for the device.
Note
If you enabled this policy, the Automatic Date and Time policy will be allowed.
DO: Android 5.0 or higher, Samsung Knox 1.0 or higher
> Time Zone
Select a time zone from the list.
Language Setting
Allows the language setting policy.
DO: Android 9.0
Location Setting
Allows users to change the Location settings.
  • Disallow: Users cannot change the on/off setting of the device location.
DO: Android 9.0
Backup
Allows backup of the device data.
Note
If the backup function can be found on your device at Google > Backup, it may seem possible to turn the backup setting on or off, even if this policy is set to Disallow. However, the functionality of backup is prohibited, regardless of mobile UI, when the Backup policy is set to Disallow.
DO: Android 8.0 or higher

Interface

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Printing
Allows the printing function.
DO/PO: Android 9.0 or higher
Autofill Service
Allows auto-completion of information that you enter on websites in the Android browser.
DO/PO: Android 8.0 or higher
Network Reset
Allows the network usage rest function on a set date.
Note
For Android 7.0 or lower devices, this applies to Samsung devices (Knox1.0+) only.
DO: Android 6.0 or higher
Mobile Network Setting
Allows configuring the mobile network settings.
DO: Android 5.0 or higher
Allow Wi-Fi Change
Allows changing the Wi-Fi Settings.
DO: Android 4.3 or higher
Wi-Fi
Allow using Wi-Fi. If the Wi-Fi policy has not been applied successfully, the device will try to apply it again 30 minutes later after Knox Manage is activated.
  • Allow: Allows using Wi-Fi
  • Disable On: Disallows turning Wi-Fi on. It is turned off at all times.
  • Disable Off: Disallows turning Wi-Fi off. It is turned on at all times.
DO: Android 1.0 or higher, Samsung Knox 1.0 or higher
> Wi-Fi Direct
Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.
Note
  • Set the Wi-Fi policy to Allow or Disable Off before using this policy.
  • The direct connection of the two devices may cause the device function or the menu to be controlled, depending on the device type.
DO: Samsung Knox 1.0 or higher
Tethering Setting
Allows tethering Settings.
DO: Android 5.0 or higher
Bluetooth
Allows using Bluetooth.
  • Allow: Allows turning Bluetooth on.
  • Disable On: Disallows turning Bluetooth on.
DO: Android 8.0 or higher, Samsung Knox 1.0 or higher
> Desktop PC connection
Allows PC connection with the user’s device via Bluetooth.
DO: Samsung Knox 1.0 or higher
> Data transfer
Allows data exchanges with other devices via Bluetooth connection.
DO: Samsung Knox 1.0 or higher
> Search mode
Allows device search mode.
DO: Samsung Knox 1.0 or higher
Bluetooth Setting
Specifies the controls for the Bluetooth use.
DO: Android 4.3 or higher
Bluetooth Share
Allows Bluetooth sharing.
DO: Android 8.0 or higher
PC connection
Allows connecting user’s device to PC.
DO: Android 4.3 or higher, Samsung Knox 1.0 or higher

Security

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Device Password
Set the password for the device screen lock. Use of the camera is prohibited when the device is screen locked.
The password can be applied to the following areas.
  • Fully Managed: The whole device area for Fully Managed (DO) devices, or personal area for Fully Managed with Work Profile devices.
  • Work Profile: The personal area of Work Profile (PO) devices. If you want to configure the password policy for a Work Profile container, navigate to Security > Work profile password.
Note
  • For the Fully Managed (DO) type and the Fully Managed with Work Profile type, if the strength of the screen lock password of the device is lower than the device policy, the device will be locked through the Lock Task mode. The users of the devices will not be able to use any other functions until the password is configured.
  • If the device is using a One Lock password and the policy for the personal area and work area have been configured differently, the stronger password policy will be applied.
> Minimum strength
Set the minimum password strength on the screen.
  • Weak Biometric: Set the password using a low-security biometric recognition method.
  • Pattern: Set the password using a pattern or a password with a higher degree of complexity.
  • Numeric: Set the password using numbers or a password with a higher degree of complexity.
  • Numeric Complex: Set the password containing at least numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
  • Alphabetic: Set the password containing at least alphabetic (or other symbol) characters.
  • Alphanumeric: Set the password using alphanumeric characters or a password with a higher degree of complexity.
  • Complex: Set it so that the passwords must include alphanumeric and special characters.
Note
The password strength increases in the following ascending order: Weak Biometric < Pattern < Numeric < Numeric Complex < Alphabetic < Alphanumeric < Complex.
DO: Android 2.2 or higher, Samsung Knox 2.0 or higher
PO: Android 7.0 or higher
>> Minimum length
Set the minimum length of the password.
The value can be between 4 - 16 characters for Numeric or Alphanumeric.
The value can be between 6 - 16 characters for Complex.
Note
Minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.
DO: Android 2.2 or higher, Samsung Knox 2.0 or higher
PO: Android 7.0 or higher
>> Minimum number of letters
Set the minimum password length.
The value can be between 1 - 10 characters.
DO: Android 3.0 or higher
PO: Android 7.0 or higher
>> Minimum number of non-letters
Set the minimum number of numeric and special characters required in the password.
The value can be between 1 - 10 characters.
DO: Android 3.0 or higher
PO: Android 7.0 or higher
>> Minimum number of lowercase letters
Set the minimum number of lowercase letters required in the password.
The value can be between 1 - 10 characters.
DO: Android 3.0 or higher
PO: Android 7.0 or higher
>> Minimum number of capital letters
Set the minimum number of uppercase letters required in the password.
The value can be between 1 - 10 characters.
DO: Android 3.0 or higher
PO: Android 7.0 or higher
>> Minimum number of numeric characters
Set the minimum number of numeric characters allowed in the password.
The value can be between 1 - 10 characters.
DO: Android 3.0 or higher
PO: Android 7.0 or higher
>> Minimum number of special characters
Set the minimum number of special characters required in the password.
The value can be between 1 -10 characters.
DO: Android 3.0 or higher
PO: Android 7.0 or higher
>> Manage password history (times)
Set the minimum number of new passwords that must be used before a user can reuse the previous password.
The value can be between 0 - 10 times.
Note
If the password is ‘Knox123!’ and the minimum value is set as 10, the user must use ten other passwords before reusing ‘Knox123!’ as password.
DO: Android 3.0 or higher, Samsung Knox 1.0 or higher
PO: Android 7.0 or higher
>> Expiration after (days)
Set the maximum number of days before passwords must be reset.
The value can be between 0 - 365 days.
DO: Android 3.0 or higher, Samsung Knox 1.0 or higher
PO: Android 7.0 or higher
>> Maximum Failed Login Attempts
Set the maximum number of incorrect password attempts before access is restricted.
You can set this only when Numeric, Alphanumeric, or Complex is selected.
The value can be between 0 - 10 times.
DO: Android 2.2 or higher, Samsung Knox 2.0 or higher
>>> If maximum failed login attempts exceeded
Select the action to be performed when the maximum number of failed attempts is reached.
For the Fully Managed (DO) type:
  • Lock device: Locks the device.
  • Factory reset + Initialize SD card: Simultaneously resets the user device and the SD card.
  • Factory reset: Resets the user device but not the SD card.
For the Work Profile (PO) type:
  • Work Profile removal: Deletes the Work Profile container.
DO: Android 2.2 or higher, Samsung Knox 2.0 or higher
PO: Android 7.0 or higher
>> Screen lock timeout (min)
Set the duration for locking the device when the user has not set up a password for the screen lock.
The value can be between 0 - 60 minutes.
DO: Samsung Knox 1.0 or higher
>> Maximum length of sequential numbers
Set the maximum number of consecutive numeric characters allowed in a password.
The value can be between 1 - 10 words.
DO: Samsung Knox 1.0 or higher
>> Maximum length of sequential characters
Set the number of consecutive letters allowed in a password.
The value can be between 1 - 10 words.
DO: Samsung Knox 1.0 or higher
Block function setting on lock screen
Allows blocking functions on the lock screen.
Note
The visibility of the notifications on the lock screen depends on the options you set in the application.
> Block functions on lock screen
Select the functions to be blocked on the lock screen when a password policy is set on a device.
For the Fully Managed (DO) type:
  • All: Blocks all functions on the lock screen.
  • Camera: Blocks direct camera control on lock screen.
  • Trust Agent: Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, or when devices are added.
  • Fingerprint: Blocks the fingerprint unlock function.
  • Previews in pop-ups: Displays notifications on the lock screen but hides private content set in the application.
  • Notifications: All notifications are hidden via the lock screen
For the Work Profile (PO) type:
  • Trust Agent: Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, and or when certain devices are added.
  • Fingerprint: Blocks the fingerprint screen unlock function.
DO: Android 5.0 or higher
PO: Android 7.0 or higher
Enforce Multi factor Authentication
Enable multifactor authentication (2FA) that unlocks a device only after two authentication methods are provided, including one biometric input (face/iris/fingerprint) and one lock screen method (PIN/password/pattern).
Note
Incorrect use of this policy together with “One Lock” and “Biometric policy” can lock your device.
DO: Samsung Knox 3.0 or higher
Screen timeout
Allows the user to change the Screen Timeout setting.
DO: Android 9.0 or higher
Maximum screen timeout
Set the maximum time limit that a user can linger before screen timeout.
DO: Android 2.2 or higher, Samsung Knox 2.0 or higher
Work profile password
Set to use the Work Profile container screen lock password on the Work Profile installation, the users are directed to set the Work Profile screen lock password.
Note
  • If users forget their password and ask you, you should send the device command to reset the password and guide them to input the temporary password that was sent. For more information about the procedure, see Viewing the device details.
  • If the device is using a One Lock password, and the policy for the personal area and work area have been configured differently, the stronger password policy will be applied.
  • If you want to configure the policy for the personal area of a Work Profile (PO) device, navigate to Security > Device password.
> Minimum strength
Set the minimum password strength on the screen.
  • Weak Biometric: Set the password using a low-security biometric recognition method.
  • Pattern: Set a password with a pattern or with a higher degree of complexity.
  • Numeric: Set a password with numbers or with a higher degree of complexity.
  • Numeric Complex: Set the password containing at least numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
  • Alphabetic: Set the password containing at least alphabetic (or other symbol) characters.
  • Alphanumeric: Set a password with alphanumeric characters or with a higher degree of complexity.
  • Complex: All passwords must include alphanumeric and special characters.
Note
The password strength increases in the following ascending order: Weak Biometric < Pattern < Numeric < Numeric Complex < Alphabetic < Alphanumeric < Complex.
PO: Android 2.2 or higher
>> Minimum length
Set the minimum length of the password.
The value can be between 4 - 16 characters. for Numeric or Alphanumeric.
The value can be between 6 - 16 characters for Complex.
Note
Minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.
PO: Android 2.2 or higher
>> Minimum number of letters
Set the minimum password length.
The value can be between 1 - 10 characters.
PO: Android 3.0 or higher
>> Minimum number of non-letters
Set the minimum number of numeric and special characters allowed in the password.
The value can be between 1 - 10 characters.
PO: Android 3.0 or higher
>> Minimum number of lowercase letters
Set the minimum number of lowercase letters allowed in the password.
The value can be between 1 - 10 characters.
PO: Android 3.0 or higher
>>Minimum number of capital letters
Set the minimum number of uppercase letters allowed in the password.
The value can be between 1 - 10 characters.
PO: Android 3.0 or higher
>> Minimum number of numeric character
Set the minimum number of numeric characters allowed in the password.
The value can be between 1 - 10 characters.
PO: Android 3.0 or higher
>> Minimum number of special characters
Set the minimum number of special characters allowed in the password.
The value can be between 1 - 10 characters.
PO: Android 3.0 or higher
>> Manage password history (times)
Set the minimum number of new passwords that must be used before a user can reuse the previous password.
The value can be between 0 - 10 times.
Note
If the password is ‘Knox123!’ and the minimum value is set as 10, the user must use ten other passwords before reusing ‘Knox123!’ as password.
PO: Android 3.0 or higher
>> Expiration after (days)
Set the maximum number of days before the password must be reset.
The value can be between 0 - 365 days.
PO: Android 3.0 or higher
>> Maximum Failed Login Attempts
Set the maximum number of incorrect password attempts before access is restricted.
The value can be between 0 - 10 times.
PO: Android 2.2 or higher
Block function setting on lock screen
Allows blocking functions on the lock screen.
Note
The visibility of the notifications on the lock screen depends on the options you set in the application.
PO: Android 4.2 or higher
> Block functions on lock screen
Select the function to be blocked on the lock screen when a password policy is set on a device.
  • Trust Agent: Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, and or when certain devices are added.
  • Fingerprint: Blocks the fingerprint screen unlock function.
  • Previews in pop-ups: Displays notifications on the lock screen but hides private content set in the application.
SafetyNet Attestation
Allows the use of SafetyNet attestation to validate the integrity of the device.
DO/PO: Android 6.0 or higher
> Verification Interval (days)
Set an interval at which the SafetyNet Attestation API assesses the devices.
> Verification Failure Policy (During Enrollment)
Select a measure.
  • Admin Alert: Sends an alert to the administrator.
  • Unenrollment (Factory Reset) (for DO only): Unenrolls the device and performs a factory reset.
  • Unenrollment (for PO only): Unenrolls the device.
> Verification Failure Policy (After Enrollment)
Select a measure.
  • Admin Alert: Sends an alert to the administrator.
  • Lock device (for DO only): Locks the device.
  • Unenrollment (Factory Reset) (for DO only): Unenrolls the device and performs a factory reset.
  • Unenrollment (for PO only): Unenrolls the device.

Kiosk

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Kiosk app settings
Select a Kiosk feature to use on a device.
  • Single app: Runs a single application on the device’s home screen.
  • Multi app: Runs multiple applications that are developed using the Kiosk Wizard.
  • Kiosk Browser: Opens webpages that are specified by the administrator.
Note
  • To use the Kiosk Browser, the Kiosk Browser application must be registered as a Knox Manage application. For more details, contact the TMS administrator.
  • Single App Kiosks are not available with non-Samsung Android Enterprise Fully Managed (DO) devices that are equipped with Android 6.0-8.0.
  • Knox Manage provides Single App Kiosk with Google managed applications for Android Enterprise devices with version 9.0(Pie) or higher.
DO: Samsung Knox 1.0 or higher
Non-Samsung DO: Android 9.0 or higher
> Set application
Click Select, and then choose Public applications (Managed Google Play Store) or Kiosk applications from the Kiosk application list. Alternatively, click Add, and then manually add applications. For more information about adding single applications, see Creating a Single App Kiosk.
> Set application
Click Select to select multiple Kiosk applications from the list or click New to create a Multi App Kiosk. To learn how to use the Kiosk Wizard, see Exploring Kiosk Wizard.
> Set Kiosk Browser
When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser will be automatically selected.
> Default URL
Set the default page URL to call in the Kiosk Browser.
Note
You can enter a URL that is up to 128 bytes including alphanumeric characters and some special characters (_,., -, *, /).
> Screen Saver
Use the screen saver for the multi-app kiosk and the Kiosk Browser. When no user activity has been sensed for a certain amount of time set in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files will be activated on the device display.
Note
The Screen Saver for the Kiosk Browser only runs while the device is charging.
>> Screen Saver Type
Select either an image or video type screensaver.
>>> Image
Select image files for the screen saver. You can add up to 10 image files in the PNG, JPG, JPEG, or GIF format (animated files are not supported). Each image file must be less than 5 MB.
  • To upload an image file, click Add and select a file.
  • To delete an image file, click next to the name of the uploaded image file.
Note
The device control command must be transferred to the device to apply an image file to it.
>>> Video
Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB.
  • To upload a video file, click Add and select a file.
  • To delete a video file, click next to the name of the uploaded video file.
Note
The device control command must be transferred to the device to apply a video to it.
> Session timeout
Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL:
  • Apply: Enables the session timeout feature for the browser.
>> Time (sec)
Set the session timeout in seconds for the Kiosk Browser.
The value can be between 10 - 3600 secs (default is 1800).
> Text Copy
Allow the copying of text strings in the Kiosk Browser.
> Javascript
Allow the running of the JavaScript contained in websites.
> Http Proxy
Allow the use of an HTTP proxy for communications in the Kiosk Browser.
>> IP/Domain:Port
Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.
> User agent settings key value
Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header.
Note
User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.
Delete Kiosk app when policy is removed
Allows to delete applications along with policies from a device when the applied policy is deleted.
DO: Samsung Knox 1.0
Non-Samsung DO: Android 9.0
Prohibit hardware key
Allows the use of the hardware keys.
> Disallow hardware key(s)
Select hardware keys to disable. The availability of Hardware keys can vary by device
If you do not allow the use of the Task Manager, then it will not run, even if the user taps the left menu key in the Navigation bar at the bottom of the device.
DO: Samsung Knox 1.0 or higher
Utilities setting
Allows the use of specific features on Kiosk mode devices.
DO: Android 9.0
> Power
Allows the use of the Power button to turn off or restart the device.
Allow is the default value.
> Recent apps
Allows the use of the Recent task button. The Home button also needs to be allowed to use the Recent task button.
Disallow is the default value.
> System status bar
Allows the use of the system status bar, which displays the time, network connectivity, and battery status.
Disallow is the default value.
Note
For Android P or higher devices, you must allow the notification bar as well to enable the system status bar.
> Notification bar
Allows the access to the notification bar. If this policy is set to Allow, the Home policy will be allowed automatically.
Disallow is the default value.
> Home
Allows the use of the Home button on the device.
Disallow is the default value.
> Key guard
Allows the screen lock policy to be applied to the device. If it is set to Disallow, users can access the Kiosk device without a screen lock password, regardless of the screen lock policy of the device.
Allow is the default value.

Application

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Installation of application from untrusted sources
Allows the installation of applications from untrusted sources instead of just the Google Play Store.
DO: Android 4.3 or higher
PO: Android 5.0 or higher
App Control
Allows application control from the settings application.
The following actions can be configured:
  • Delete / Execute / Prevention / CACHE Removal / Data Removal / Focused Exit / Default App Removal.
DO: Android 5.0 or higher
App Installation
Allows application installation.
DO: Android 4.3 or higher
PO: Android 5.0 or higher
App Uninstallation
Allows application uninstallation.
DO: Android 4.3 or higher
PO: Android 5.0 or higher
App Verification
Allows application verification via Google for all device applications.
DO: Android 5.0 or higher
PO: Android 5.0 - 7.1
App Permission
Allows application runtime permission settings for all areas.
  • Prompt: Prompts users to grant or deny permissions.
  • Grant: Grants all relevant permissions.
  • Deny: Denies all relevant permissions.
Note
This policy applies to all applications.
DO/PO: Android 6.0 or higher
> App permission exception policy list
Add individual application. Set different permission policies for each application.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
DO/PO: Android 6.0 or higher
App Execution Blacklist Setting
Set to prevent the execution of the device applications.
> App execution blacklist
Add applications to prevent their execution. Icon of the blacklisted application disappears and users cannot run the application.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
An application that has been added on the Application installation whitelist policy cannot be added.
DO/PO: Android 5.0 or higher
Application uninstallation prevention list Setting
Set to prevent the uninstallation of the device application.
> Application uninstallation prevention list
Add applications to prevent their uninstallation.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
DO/PO: Android 5.0 or higher
System App Activation Setting
Set to activate hidden system applications for Android Enterprise devices to view. If a device is activated with Android Enterprise, only designated applications appear on the device.
Note
Applications cannot be activated if they are listed under the Application installation block list.
> System App Activation
Add system applications to be activated.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
DO/PO: Android 5.0 or higher
Settings for whitelisting apps allowing external SD card
Allows the use of an external SD card. The external SD card cannot be used by default.
> Whitelisted apps for external SD card
Add applications that can use an external SD card.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

Location

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
GPS
Configure to force quit the GPS feature of device. Users can freely change this feature setting on the device if the Location Setting policy is set to Allow.
  • Disable On: Disables the GPS feature on the device.
DO: Android 4.3 or higher, Samsung Knox 1.0 or higher
PO: Android 4.3 or higher
Report device location
Allows collecting location data.
  • User consent: Allows location data collection only with the user’s consent.
Note
If the Fully Managed with Work Profile type is used, location data from devices is collected based on the Report Device Location value, which is specified in the Fully Managed Device policy.
DO: Android 2.3 or higher, Samsung Knox 1.0 or higher
PO: Android 5.0 or higher
> Report device location interval
Set an interval period to save the location data of the device.
Note
To set the collection interval, select either Allow or User consent for the Report device location policy.
DO: Android 2.3 or higher, Samsung Knox 1.0 or higher
PO: Android 5.0 or higher
High Accuracy Mode
Set to use for collecting accurate GPS locations of the devices.
DO: Android 2.3 or higher, Samsung Knox 1.0 or higher
PO: Android 5.0 or higher

Phone

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Airplane mode
Allows the use of airplane mode.
DO: Android 9.0 or higher, Samsung Knox 2.0 or higher
Cell Broadcast Setting
Allows the use of emergency broadcast settings.
The carrier can send a same message, such as an emergency alert, to the devices connected to the same cellular base station.
DO: Android 5.0 or higher
Volume Adjustment
Allows adjusting the volume.
DO: Android 5.0 or higher
Microphone
Allows the use of the microphone.
DO: Android 5.0 or higher, Samsung Knox 1.0 or higher
PO: Samsung Knox 1.0 or higher
> Recording
Allows recording with the microphone.
DO/PO: Samsung Knox 1.0 or higher
> S Voice
Allows the use of S Voice.
DO: Samsung Knox 1.0 or higher
Voice Call (except Samsung Device)
Allows the use of voice calls.
Note
To control Samsung devices, use the Prohibit voice Call policy.
DO: Android 5.0 or higher
SMS (except Samsung Device)
Allows the use of text messages.
DO: Android 5.0 or higher
Data connection during roaming
Allows a data connection while using roaming service.
DO: Android 7.0 or higher, Samsung Knox 1.0 or higher

Container

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Copy and Paste Clipboard per Profile
Allows copying and pasting with the clipboard between the personal and work areas.
PO: Android 5.0 or higher
Bluetooth Low Energy
Allows using Bluetooth Low Energy that enables very low power operation of the device.
PO: Samsung Knox 2.4 or higher
Bluetooth Share
Allows sharing via Bluetooth with other devices.
PO: Android 8.0 or higher
Phone Book Access Profile (PBAP) via Bluetooth
Allows sharing contacts from the Profile Owner to the connected device via Bluetooth.
Note
The Bluetooth share policy must be set to Allow before using this policy.
PO: Android 6.0 or higher

Factory Reset Protection

You can set up a factory reset protection policy for Android Enterprise devices. This policy allows you to prevent the unauthorized use of an organization’s devices via a special validation method for unlocking them after a factory reset.
Policy
Description
Factory Reset Protection
Allows enabling Factory Reset Protection.
To enable Factory Reset Protection, complete the following steps:
  1. Select Allow from the drop-down list.
  • Further information about the FRP will be displayed.
  1. Click Go to Google API Webpage to generate user ID.
  2. Sign in with your Google account.
  • You can use an existing Google account or create one specifically for use with factory reset protection. Please be aware that this account will be used to validate device users. Android Enterprise account should not be used.
  1. Enter the below input values on the right side of API page.
  • resourceName : people/me
  • personalFields : metadata
  1. Click Execute.
  2. In a green header box, copy the “id” field value and paste it to the Google User ID field in Knox Manage Admin Portal.
  3. Enter the same account ID to the Google Account ID field you signed in Google API page at step 3, and click to save it.

Wi-Fi

You can add more Wi-Fi policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each Wi-Fi setting.
Description
Enter a description for each Wi-Fi setting.
Network Name (SSID)
Enter an identifier of a wireless router to connect to.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Remove available
Allows users to delete the Wi-Fi settings.
Hidden Network
Allows to hide the network from the list of available networks on the device. The SSID does not broadcast.
Security type
Specifies the access protocol used and whether certificates are required.
> WEP
Set a WEP KEY index from WEP KEY 1 to 4.
> WPA/WPA2-PSK
Enter a password.
> 802.1xEAP
Configure the following items:
  • EAP Method: Select an authentication protocol from between PEAP and TTLS.
  • 2-step authentication: Select one from PAP and MSCHAP as a secondary authentication method.
  • User information input method: Select an input method for entering user information.
  • Manual Input: Enter the user ID and Password for the Wi-Fi connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Connector interworking: Choose a connector from the User information Connector.
  • User Information: Use the user information registered in Knox Manage to access Wi-Fi.
  • External ID: Assign an external ID for Manual Input.
  • User certificate input method: Select a user certificate confirmation method.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.
Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
CA certificate
Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root will appear on the list.
Proxy configuration
Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.
> Manual
Configure the proxy server manually.
  • Proxy host name: Enter the host name of the IP address of the proxy server
  • Proxy port: Enter the port number used by the proxy server
  • Proxy exception: Enter the IP address or domain address that cannot be accessed through the proxy server.
If server authentication is required to use the proxy server, check the Server authentication check box.
  • User name: Enter the username for the proxy server.
  • Password: Enter the password for the proxy server.
> PAC automatic configuration
Configure the proxy server automatically.
You should enter the PAC web address, the URL of the PAC file that automatically determines which proxy server to use.

VPN

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking . Only the Pulse Secure VPN type can be configured for Android Enterprise devices.
Policy
Description
Configuration ID
Assign a unique ID for the VPN setting.
Description
Enter a description for the VPN setting.
VPN type
The VPN type is set to Pulse Secure by default and you cannot change it.
Always On VPN
Creates a VPN connection when the device starts and maintains it while the device is turned on.
Server URL
Enter the URL of the VPN server.
Authentication Type
Select an authentication type for the VPN connection between Password, Certificate, and both.
User name
Enter the user ID for the VPN connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Password
Enter the password for the VPN connection.
Identity Certificate
Select a certificate to identify itself to its peer.
Route Type
Set to use the VPN settings for the entire device or for selected applications.
> Apps to use VPN Configuration
Select applications to allow or disallow from using the VPN. To add an application, click Whitelist Apps or Blacklist Apps, click Add, and then select applications in the “Select Application” window.

Bookmark

For Android Enterprise devices, a shortcut to the bookmarked address of a specific URL is created on the home screen of the device, not in the web browser.
Note
  • Only the device user can delete the shortcuts manually.
  • Deleting a bookmark policy from the Knox Manage Agent can render different effects based on the OS version. In both cases, manual deletion by the device user is recommended:
  • Android Pie (9.0): Shortcuts will still appear grayed out on the home screen.
  • Android Oreo (8.0): Shortcuts will not be removed.
Policy
Description
Configuration ID
Assign a unique ID for each bookmark setting.
Description
Enter a description for each bookmark setting.
Installation area
Specifies a location to install the bookmark.
  • ShortCut: Creates a shortcut of the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher.
  • Android Enterprise devices only supports the shortcut type.
  • Shortcut icons may not be able to be created depending on the type of launcher set by the user.
  • An administrator cannot delete the shortcut icon, but the user can delete it manually.
ShortCut image
Select a shortcut icon to be created on a user device.
Bookmark page URL
Enter a website address to go to when a bookmark is selected.
Bookmark name
Enter the bookmark name to be displayed as a title in the bookmark.

Certificate

You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. You can add more certificate policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each certificate setting.
Description
Enter a description for each certificate setting.
User certificate input method
Select an input method for entering certificate information.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
  • When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.
Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Certificate Category
Select a certification category when EMM Management Certificate is selected in User certificate input method,
  • CA certificate: Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list.
  • User certificate: Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User will appear on the list.
Apps with Delegated Certificate Management
Add specific applications, which are installed on the device, to grant silent privileged access via a certificate while running.

Configuring Samsung Knox (Android Enterprise) Policies

Create a profile and register policies only for Android Enterprise manage type Samsung devices. Some policies that require the KSP agent may not be able to configure if you do not approve the KSP agent in the Android Enterprise settings. These policies are marked with .
Note
KSP policies are not applicable to the Fully Managed with Work Profile type. For devices that are enrolled as the Fully Managed type with KSP policies applied, these policies can remain even after the device type changes to the Fully Managed with Work Profile type. It is recommended to remove them manually.
  • Provides data sharing or save settings, developer options, and other features.
  • Controls the network settings, such as Wi-Fi Hotspot and Bluetooth tethering, and controls the USB media player settings.
  • Configures security settings, such as the Google Android security update policy.
  • Configures the Kiosk device settings.
  • Configures the battery optimization exceptions setting.
  • Configures the settings for the default web browser and Chrome browser.
  • Configures the phone settings, such as the cellular network settings.
  • Configures the IP or a domain firewall policy for each application.
  • Allows the use of DeX mode, an interface to use a mobile device like a desktop.
  • Configures the APN (Access Point Name) settings.

System

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).

Policy
Description
Supported devices
Share Via Options
Allows sharing of data from one application to another.
DO/PO: Samsung Knox 3.0 or higher
Domain blacklist Settings
Allow using the domain blacklist.
> Domain blacklist
Enter a domain blacklist that should not be used when registering an Exchange or email account.
  • To add a domain, enter the domain name in the field, and click .
  • To delete a domain, click next to the added domain name.
DO: Samsung Knox 1.0 or higher
Power off
Allows powering off the device.
Note
  • If this policy is disallowed, the use cannot turn off the device and cannot perform factory rest.
  • The device command from an administrator for factory reset is also blocked.
DO: Samsung Knox 1.0 or higher
OTA Upgrade
Allows an OTA upgrade for the device.
DO: Samsung Knox 1.0 or higher
Settings
Allows the configuration changes within the System Settings.
DO: Samsung Knox 1.0 or higher
Expand status bar
Allows the expansion of the status bar.
DO: Samsung Knox 1.0 or higher
Clipboard
Allows using the clipboard feature and sets the range.
  • Allow: Allows the clipboard feature throughout the entire system.
  • Disallow: Disallows the clipboard feature throughout the entire system.
  • Allow within the same app: Allows using the clipboard feature only within the same application.
DO/PO: Samsung Knox 1.0 or higher
Share via apps
Allows the share app feature.
DO/PO: Samsung Knox 1.0 or higher
Smart Select
Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else.
DO: Samsung Knox 2.3 or higher
Developer mode
Allows using a developer mode.
DO: Samsung Knox 2.0 or higher
> Mock location
Allows using a mock location, which specifies an arbitrary location for development or test purposes. Use this policy if the location information from the Update Device Information in the Send Device Command seems incorrect.
DO: Samsung Knox 1.0 or higher
> Background process limitation
Allows setting the number of background processes.
If this policy is disabled, the default number of background processes will be set at the maximum number.
DO: Samsung Knox 1.0 or higher
> Quit application upon killing activities
Enables closing all running applications when the user logs out of the device.
If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.
DO: Samsung Knox 1.0 or higher
Reboot banner
Allows using the reboot banner which appears on the user’s device when the device reboots.
DO: Samsung Knox 1.0 or higher
> Reboot banners stationery
Enter the text for the reboot banner. You can enter up to 1000 bytes.
Note
You can customize banners for Samsung Knox 2.2 + devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed.
DO: Samsung Knox 2.2 or higher
Control Power saving mode
Allows power saving controls on the device.
DO: Samsung Knox 2.8 or higher
Firmware download mode control
Allows using the hardware key on the device to update firmware.
  • Disallow: Disallows updating firmware with the hardware key and performing a factory reset.
DO: Samsung Knox 2.0 or higher
Samsung Keyboard settings control
Allows accessing the settings key from the Samsung keyboard.
DO: Samsung Knox 2.0 or higher
Data Saver Mode
Allows the device to use the data saver mode automatically.
DO: Samsung Knox 3.0 or higher
Whitelisted Device Admin
Enables blocking activation of any applications as device admin, except those specified on the whitelist.
DO: Samsung Knox 3.0 or higher
> Whitelisted Apps
Add applications to the whitelist.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

Interface

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
NFC Control
Allows NFC (Near Field Communication) control.
Note
Android 10 (Q) or higher devices are not supported.
DO: Samsung Knox 1.0 or higher
PO: Samsung Knox 2.4 or higher
USB host storage (OTG)
Allows a device connection via OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse.
Note
To use DeX, configure the policy to allow DeX mode. If the configuration value is set as either allow or disallow, make the USB exception list as below:
  • Using DeX only: All block.
  • Using DeX, Keyboard, and Mouse: Hid.
  • Using DeX, Keyboard, Mouse, Ethernet: Hid, Communication, Cdc Data, Vendor Spec.
DO: Samsung Knox 1.0 or higher
> Set usb exception allowed list
Select a USB interface to use if the USB host storage (OTG) policy is disallowed.
>> USB exception allowed list
Select the USB interface to use from the USB exception allowed list. For more information, see https://www.usb.org/defined-class-codes.
DO: Samsung Knox 3.0 or higher
Wi-Fi hotspot
Specify using mobile Wi-Fi hotspot on the device.
DO: Samsung Knox 1.0 or higher
Wi-Fi SSID whitelist setting
Allows using the Wi-Fi SSID whitelist. Devices can only connect to the Wi-Fi APs on the whitelist.
Note
For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.
> Wi-Fi SSID whitelist
Add Wi-Fi APs to the whitelist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.
  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click .
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .
DO: Samsung Knox 1.0 or higher
Wi-Fi SSID Blacklist setting
Allows using the Wi-Fi SSID blacklist. Devices cannot connect to Wi-Fi APs on the blacklist.
Note
For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.
> Wi-Fi SSID Blacklist
Add Wi-Fi APs to the blacklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.
  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .
DO: Samsung Knox 1.0 or higher
Wi-Fi auto connection
Allows automatic connection to the Wi-Fi SSID already stored in the device.
DO: Samsung Knox 1.0 or higher
Wi-Fi minimum security level setting
Set a minimum security level for Wi-Fi.
Note
The security level increases in the following ascending order: OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA’
DO: Samsung Knox 1.0 or higher
Open Wi-Fi Connection
Allows devices to connect to open and unprotected Wi-Fi access points. If this policy is disallowed, users cannot connect to unsecured Wi-Fi networks.
DO: Samsung Knox 3.0 or higher
Control for Wi-Fi password to be Visible
Makes the password hidden or visible in the network edit dialog.
DO: Samsung Knox 3.0 or higher
USB tethering
Allows USB tethering.
DO: Android 4.3 or higher, Samsung Knox 1.0 or higher
Bluetooth tethering
Allows Bluetooth tethering to share the internet connection from one device to another.
DO: Samsung Knox 1.0 or higher
Bluetooth UUID Whitelist Setting
Allows connecting Bluetooth devices based on their Universal Unique Identifier (UUID).
> Bluetooth UUID whitelist
Select devices to allow Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.
Note
When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.
DO: Samsung Knox 1.0 or higher
Bluetooth UUID Blacklist Setting
Allows disconnecting Bluetooth devices based on their Universal Unique Identifier (UUID).
> Bluetooth UUID blacklist
Select devices to block Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.
Note
When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.
DO: Samsung Knox 1.0 or higher
USB Debugging
Allows USB debugging.
DO: Samsung Knox 1.0 or higher
PO: Android 5.0 or higher
USB Mediaplayer
Allows the use of an external USB media player on the device.
DO: Samsung Knox 3.0 or higher

Security

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Google Android security update policy
Allows the user to select whether to receive updates on the device.
  • Forced use: Set to receive security updates by default.
DO: Samsung Knox 2.6 or higher

Kiosk

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Task manager
Allow the use of the Task Manager.
DO: Samsung Knox 1.0 - 2.4
System bar
Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom.
For non-Samsung devices, even if you selected either Allow status bar only or Allow navigation bar only, both the status bar and the navigation bar will be disabled.
DO: Samsung Knox 1.0 or higher
Multiple windows
Allows the use of multiple windows. This is available for devices that provide the functionality of multiple windows.
DO: Samsung Knox 1.0 or higher
Air command
Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items appear when the user brings an S pen close to the screen.
Note
Air command is not available on Kiosk mode devices with Android Pie (9.0) or higher.
DO: Samsung Knox 2.2 or higher
Air view
Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content.
DO: Samsung Knox 2.2 or higher
Edge screen
Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera.
DO: Samsung Knox 2.5 or higher

Application

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Battery optimization exceptions
Set to exempt applications from the battery optimization mode.
Note
This policy may cause battery loss.
DO/PO: Samsung Knox 2.7 or higher
> Apps excluded from battery optimization
Add applications to be exempted from battery optimization mode.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

Browser

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Cookies
Allows cookies in the Android browser.
Note
If cookies are not allowed, you cannot access websites that authenticate users with cookies.
DO: Samsung Knox 1.0 or higher
JavaScript
Allows JavaScript in the Android browser.
DO: Samsung Knox 1.0 or higher
Autofill
Allows auto-completion of information that you enter on websites in the Android browser.
DO: Samsung Knox 1.0 or higher
Pop-up block
Allows blocking pop-ups in the Android browser.
DO: Samsung Knox 1.0 or higher
Browser proxy URL
Set the proxy server address for the Android browser. Enter the value in the form of IP:port or domain:port in the fields.
Note
  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 4.0.1 - 5.6.
DO: Samsung Knox 1.0.1 or higher

Phone

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Prohibit voice call
Prohibits incoming and outgoing voice calls.
> Voice call
Specifies the types of voice calls to block:
  • Incoming: Blocks incoming voice calls only.
  • Outgoing: Blocks outgoing voice calls only.
If both are selected, only emergency calls can be made or received.
DO: Samsung Knox 1.0 or higher
Disallow SMS/MMS
Allows sending and receiving SMS/MMS messages.
> Disallow Incoming/Outgoing SMS/MMS
Select the types of SMS/MMS messages to disable.
Note
At least one of the types should be selected.
DO: Samsung Knox 1.0 or higher
WAP push during roaming
Allows WAP push communications while roaming.
DO: Samsung Knox 1.0 or higher
Data sync during roaming
Allows data synchronization while roaming.
DO: Samsung Knox 1.0 or higher
Voice calls during roaming
Allows voice calls while roaming.
DO: Samsung Knox 1.0 or higher
Use SIM card locking
Prevents the use of the SIM card on a user device. To use this policy, the default PIN of the SIM card should be entered. Then, the new PIN number for the SIM card should be entered.
If the locked SIM card is registered to another device, the device is locked and the user must enter a valid PIN to unlock it.
DO: Samsung Knox 1.0 or higher
> Default SIM PIN
Enter the default PIN found on the SIM card.
The value is 4 - 8 digit numbers.
Note
This policy is intended for use by Corporate-Owned, Personally Enabled (COPE) devices and is only applied if the PIN found on the SIM card matches the default PIN.
> New SIM PIN
Enter the new PIN number for the SIM card. The new PIN number can be found next to SIM PIN Number in the “Network“ tab of the “Device Detail” page.
The value is 4 - 8 digit numbers.
Cellular Data
Allows the use of a cellular data connection.
DO: Samsung Knox 3.0 or higher
Manage RCS Messaging
Allows Rich Communication Services (RCS) on the device.
DO: Samsung Knox 3.0 or higher
> Set Disclaimer Text for Messages
Set a disclaimer text for all outgoing SMS and MMS messages. The disclaimer text should be limited to 30 characters.

Firewall

Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Firewall
Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.
DO/PO: Samsung Knox 1.0 - 2.4.1
> Permitted policy (IP)
Input values to permit the target IP and port address. Configure the following:
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
  2. Select the Network Type:
  • All
  • Data: Only mobile network access is enabled.
  • Wi-Fi: Only Wi-Fi network access is enabled.
  1. Select Port Range:
  • All
  • Local: Port access from the device is enabled.
  • Remote: Port access from the target server is enabled.
  1. Click to add.
Note
Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited Policy (IP) ranges.
DO/PO: Samsung Knox 2.5 or higher
> Prohibited policy (IP)
Input values to prohibit the target IP and port address. Configure the following:
  1. Enter or click Add to search the Package Name of the application.
  1. Enter the IP Address (range) and Port (range).
  • Enter a wildcard character (*) as an IP Address to prohibit the use of the bandwidth.
  1. Select Network Type:
  • All
  • Data: Mobile network access is disabled.
  • Wi-Fi: Wi-Fi network access is disabled.
  1. Select Port Range:
  • All
  • Local: Port access from the device is disabled.
  • Remote: Port access from the target server is disabled.
  1. Click to add.
Note
When entering the IP address, you can use a wildcard character (*) to disable the bandwidth usage.
DO/PO: Samsung Knox 2.5 or higher
> Permitted policy (Domain)
Input values to permit the target domain address.
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
Note
  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name.
e.g.) *android.com / www.samsung*
DO/PO: Samsung Knox 2.6 or higher
> Prohibited policy (Domain)
Input values to prohibit the target domain address.
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
Note
Use a wildcard character (*) to prohibit a specific domain.
DO/PO: Samsung Knox 2.6 or higher
> DNS setting
Input values to specify the domain server address of all applications or registered applications.
  1. Enter or click Add to search the Package Name of the application.
  1. Input DNS values.
  • DNS1: Primary DNS.
  • DNS2: Secondary DNS.
Note
Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.
DO/PO: Samsung Knox 2.7 or higher

DeX

Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a monitor, keyboard, and mouse to a Dex docking station, the mobile device can function as a desktop computer
In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blacklist setting.
Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy
Description
Supported devices
Allow DeX Mode
Allows the use of DeX mode.
  • Disallow: The DeX station will not function even if a mobile device is mounted on it.
DO: Samsung Knox 3.0 or higher
Allow Ethernet Only
Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked.
DO: Samsung Knox 3.0 or higher
App execution blacklist(Android)
Use the blacklist for running DeX applications.
> App execution blacklist
Prohibits launching the specified applications.
When this policy is enabled and applied, the icons of the blocked applications will disappear so that users cannot launch them. However, the applications are not deleted. The icons will reappear once the policy is changed or Knox Manage is disabled.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
Any applications that already have been added to the Application whitelist cannot be added to the Application blacklist.
DO: Samsung Knox 3.0 or higher

APN

You can add more APN policy sets by clicking .
Policy
Description
Configuration ID
Enter an ID name to be displayed on the device.
Description
Enter a description for an APN.
Remove available
Allows users to delete APN settings. If you choose Disallow, then the button used to delete APN settings is disabled.
Access Point Name (APN)
Enter the name of the access point.
Access Point Type
Select the type of the access point.
  • Default: default type.
  • MMS: Multimedia Messaging Service.
  • Supl: IP-based protocol to receive GPS satellite signals.
Mobile Country Code (MCC)
Enter the country code for the APN.
Mobile Network Code (MNC)
Enter the carrier network code for the APN.
MMS Server (MMSC)
Enter the server information for sending multimedia messages.
MMS Proxy Server
Enter the information of the proxy server for sending multimedia messages.
MMS Proxy Server Port
Enter the port number of the proxy server for sending multimedia messages.
Server
Enter the WAP gateway server name.
Proxy Server
Enter the information of the proxy server.
Proxy Server Port
Enter the port number of the proxy server.
Access Point Username
Enter the user name of the access point.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Access Point Password
Enter the password of the access point.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Authentication Method
Select an authentication method.
  • None: Disables authentication.
  • PAP: Requires a user name and password for authentication.
  • CHAP: Uses encryption with a Challenge string for authentication.
  • PAP or CHAP: Uses the PAP or CHAP authentication method.
Set as Preferred APN
Applies APN settings to the device.

Configuring Android Legacy Policies

Create a profile and register policies for Android Legacy devices.
You can configure the policies below for Android Legacy devices. The availability of each policy varies depending on the OS version.
  • Provides backup and restore settings, developer options, and other features. Updates the operating system on a device.
  • Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.
  • Configures the security settings, such as the password and lock screen.
  • Configures Kiosk applications on a Kiosk device and controls the device settings.
  • Configures options for application controls such as installation, verification, and permission.
  • Allows the use of GPS or collecting location data from a device.
  • Allows the use of the default web browser and configures the settings for it.
  • Configures the phone settings, such as airplane mode, the microphone, and the cellular network settings.
  • Configures the IP or a domain firewall policy for each application.
  • Allows performing logging and configuring the settings.
  • Allows the use of DeX mode, an interface to use a mobile device like a desktop.
  • Configures the Wi-Fi settings, such as SSID, security type, and proxy.
  • Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.
  • Configures the settings of a POP or IMAP email account.
  • Configures the bookmark settings, such as the configuration ID and installation area.
  • Configures the APN (Access Point Name) settings.
  • Configures a VPN (Virtual Private Network) on Samsung Galaxy devices.
  • Configures a VPN (Virtual Private Network) on Android devices.
  • Allows using new certificate authority (CA) certificates and configuring the certificate settings.

System

Policy
Description
Supported devices
Factory reset
Allows a device factory reset.
  • Disallow: Factory reset using the hardware button is prevented. However, factory reset using the firmware update utility cannot be prevented.
Samsung Knox 1.0 or higher
Power off
Allows powering off the device.
  • Disallow: The power off option menu does not appear even with the use of a power button. However, powering off by separating the battery cannot be prevented. Factory reset is prohibited if this policy is disallowed.
Samsung Knox 1.0 or higher
Backup
Allows backup of the device data.
Note
If the backup function can be found on your device at Google > Backup, it may seem possible to turn the backup setting on or off, even if this policy is set to Disallow. However, the functionality of backup is prohibited, regardless of mobile UI, when the Backup policy is set to Disallow.
Samsung Knox 1.0 or higher
OTA upgrade
Allows an OTA upgrade for the device.
Samsung Knox 1.0 or higher
Settings
Allows the configuration of the System Settings.
Samsung Knox 1.0 or higher
System app close
Allows force closing system applications.
Samsung Knox 1.0 or higher
App crash report to Google
Allows reporting the application error occurrence information to Google.
Samsung Knox 1.0 or higher
Multiple users
Allows multiple users.
Samsung Knox 1.0 or higher
Expand status bar
Allows the expansion of the status bar.
Samsung Knox 1.0 or higher
Change wallpaper
Allows changing the home and the lock screens.
Samsung Knox 1.0 or higher
Automatic Date and Time
Allows changing the date and time.
Samsung Knox 1.0 or higher
Camera
Allows using the camera.
Note
If the camera in the general area is restricted, the camera in the Knox Workspace is also restricted.
Samsung Knox 1.0 or higher, Android 4.0 or higher
>Face recognition camera
Allows use of the camera for face unlock even when the camera is disabled in the Camera policy. This policy is available when Camera is set to Disallow all.
Samsung Knox 3.2.1 or higher
Screen capture
Allows use of the screen capture function, which is already set as default.
Samsung Knox 1.0 or higher
Clipboard
Allows the clipboard feature throughout the
entire system.
  • Allow within the same app: Allows using the clipboard feature only within the same application.
Samsung Knox 1.0 or higher
Share via apps
Allows the share app function.
Samsung Knox 1.0 or higher
S Beam
Allows using Android Beam which transfers data via NFC.
Note
Android 10 (Q) or higher devices are not supported.
Samsung Knox 1.0 or higher
Encryption for storage
Specifies the encryption of the device’s system storage or the external SD card.
Samsung Knox 1.0 or higher, Android 1.0 or higher
> Storage encryption
Check the checkbox to select the storage to be encrypted.
Note
External SD card encryption is applicable to Samsung Galaxy devices only.
External SD Card
Allows using the external SD card.
Samsung Knox 1.0 or higher
> Write to external SD card
Allows writing to an external SD card.
Note
If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.
Samsung Knox 1.0 or higher
Unauthorized SD Card
Allows using unauthorized SD cards.
Android 1.0 (SDK1 or higher)
If compromised OS is detected
Select the control function to be triggered if device OS tampering is detected.
  • Lock device: Locks the device.
Note
Android 10 (Q) or higher devices are not supported.
  • Lock Email: Locks email use.
  • Factory reset + Initialize SD card: Simultaneously factory resets the user device and the SD card.
  • Factory reset (only): Resets the user device but not the SD card.
Note
The factory reset (only) function is unsupported in Android 2.0 or lower. To reset the device, select the Factory reset + Initialized SD card option.
Samsung Knox 1.0 or higher
Smart Select
Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else.
Samsung Knox 2.2 or higher
Device Administrators to install and activate apps
Specifies to run or install EMM applications other than the Knox Manage application.
  • Allow: Allows installing or enabling EMM applications.
  • Disallow installation: Disallows installing EMM applications.
  • Disallow activation: Disallows enabling EMM applications.
Note
You cannot control this policy if another EMM application is active before the policy has been set.
Samsung Knox 2.0 or higher
> Exceptional app whitelist
Allows installing or activating select EMM applications by adding them to the whitelist. This policy is available only when the Device Administrator to Install and Activate apps policy is set to Disallow installation or Disallow activation.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
  • Disallow installation: Only the whitelisted applications are allowed to be installed.
  • Disallow activation: Only the whitelisted applications are allowed to be activated.
Samsung Knox 2.0 or higher
Developer mode
Allows using the developer mode.
Samsung Knox 2.0 or higher
> Background process limitation
Allows setting the default number of background processes.
If this policy is disabled, the number of background processes will be set at the maximum number.
Samsung Knox 1.0 or higher
> Quit application upon killing activities
Enables closing all running applications when the user logs out of the device.
If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.
Samsung Knox 1.0 or higher
> Mock location
Allows using the mock location, which specifies an arbitrary location for development or test purposes.
Use this policy if location information from the Update Device Information of the Send Device Command seems incorrect.
Samsung Knox 1.0 or higher
Safe mode
Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications.
Samsung Knox 1.0 or higher
Reboot banner
Allows using the reboot banner which appears on the user’s device when the device reboots.
Samsung Knox 1.0 or higher
> Reboot banners stationery
Enter the text for the reboot manager. You can enter up to 1000 bytes.
Note
You can customize banners for Samsung Knox 2.2 or higher devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed.
Samsung Knox 2.2 or higher
Domain blacklist Settings
Allows using the domain blacklist.
Samsung Knox 1.0 or higher
> Domain blacklist
Enter a domain blacklist that should not be used when registering an Exchange or email account.
  • To add a domain, enter the domain name in the field, and click Add.
  • To delete a domain, click next to the added domain name.
NTP Settings
Allows using the NTP (Network Time Protocol) server. Register this server to sync the server time to a device.
Samsung Knox 2.5 or higher
> Server address
Enter the NTP server address.
Samsung Knox 2.5 or higher
> Maximum number of attempts
Set the maximum number of attempts for connecting to the NTP server to retrieve the time information.
The value can be between 1 – 100 times.
Samsung Knox 2.5 or higher
> Polling cycle (hr)
Set the cycle to reconnect to the server via NTP.
The value can be between 1 – 8760 hours (8760 = 1 year).
Samsung Knox 2.5 or higher
> Short polling cycle (sec)
Set the cycle to re-connect to the NTP server after experiencing a timeout.
The value can be between 1 – 1000 seconds.
Samsung Knox 2.5 or higher
> Timeout (sec)
Set the connection timeout on the NTP server.
The value can be between 1 – 1000 seconds.
Samsung Knox 2.5 or higher
Set Notifications from an event to On.
Sets the device to display notifications when a device control event is applied.
  • User Defined: Users can set event notifications on the device from the Settings menu of Knox Manage Agent.
  • Show notification: Displays the notification when an event for device control is applied.
  • Hide notifications: Hides the notification when an event for device control is applied.
Samsung Knox 1.0 or higher, Android 1.0 or higher
Set Notifications from an event to Off.
Sets the device to display the notifications when an event for device control is disengaged.
  • User Defined: Users can set event notifications on the device from the Settings menu of Knox Manage Agent.
  • Show notification: Displays a notification when an event for device control is disengaged.
  • Hide notifications: Hides a notification when an event for device control is disengaged.
Samsung Knox 1.0 or higher, Android 1.0 or higher
Fix Event Notification
Set the removal of the notification from the device Quick panel.
  • User Defined: Users can remove notification on the device from the settings menu of Knox Manage Agent.
  • Disallow to Remove Notification: Users cannot remove notifications on the device Quick Panel.
  • Allow to Remove Notification: Users can remove notifications on the device Quick Panel.
Samsung Knox 1.0 or higher, Android 1.0 or higher
Control Power saving mode
Allows power saving control on the device.
Samsung Knox 2.8 or higher
Firmware download mode control
Allows using the hardware key on the device to update firmware.
  • Disallow: Disallows updating firmware with the hardware key and performing a factory reset.
Samsung Knox 2.0 or higher
Samsung Keyboard settings control
Allows accessing the settings key from the Samsung keyboard.
Samsung Knox 2.0 or higher
Data Saver Mode
Allows the device to use the data saver mode automatically.
Samsung Knox 3.0 or higher

Interface

Policy
Description
Supported devices
Wi-Fi
Allows using Wi-Fi. If the Wi-Fi policy has not been applied successfully, the device will try to apply it again 30 minutes later after Knox Manage is activated.
  • Allow: Allows using Wi-Fi.
  • Disable On: Disallows turning on Wi-Fi. It is turned off at all times.
  • Disable Off: Disallows turning off Wi-Fi. It is turned on at all times.
Samsung Knox 1.0 or higher, Android 1.0 or higher
> Wi-Fi Direct
Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.
Note
  • Set the Wi-Fi policy to Allow or Disable Off before using this policy.
  • Depending on the device type, the direct connection of the two devices may cause the function or the menu to get controlled.
Samsung Knox 1.0 or higher
Wi-Fi hotspot
Allows use of the Wi-Fi hotspot.
Samsung Knox 1.0 or higher, Android 2.3 or higher
Wi-Fi SSID whitelist setting
Allows using the Wi-Fi SSID whitelist. Devices can only connect to the Wi-Fi APs on the whitelist.
Note
For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.
Samsung Knox 1.0 or higher, Android 1.0 or higher
> Wi-Fi SSID whitelist
Add Wi-Fi APs to the whitelist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.
  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .
Android 1.0 (SDK1) or higher
Samsung Knox 1.0 or higher
Wi-Fi SSID Blacklist setting
Allows using the Wi-Fi SSID blacklist. Devices cannot connect to Wi-Fi APs on the blacklist.
Note
For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.
> Wi-Fi SSID Blacklist
Add Wi-Fi APs to the blacklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.
  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .
Samsung Knox 1.0 or higher, Android 1.0 or higher
Wi-Fi auto connection
Allows automatic connection to Wi-Fi SSID already stored in the device.
Samsung Knox 1.0 or higher
Wi-Fi minimum security level setting
Set a minimum security level for Wi-Fi.
The security level increases in the following ascending order: OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA’
Samsung Knox 1.0 or higher
Bluetooth
Allows using Bluetooth.
  • Allow: Allows using Bluetooth.
  • Disable On: Disallows turning on Bluetooth. It is turned off at all times.
  • Disable Off: Disallows turning off Bluetooth. It is turned on at all times.
Samsung Knox 1.0 or higher, Android 1.0 or higher
> Desktop PC connection
Allows Desktop PC connections with the user’s device via Bluetooth.
Samsung Knox 1.0 or higher
> Data transfer
Allows data exchanges with other devices via Bluetooth connection.
Samsung Knox 1.0 or higher
> Search mode
Allows device search via Bluetooth.
Samsung Knox 1.0 or higher
> Bluetooth tethering
Allows Bluetooth tethering to share the internet connection with another device.
Samsung Knox 1.0 or higher, Android 4.2 or higher
Bluetooth UUID Black/Whitelist
Select a method to connect Bluetooth devices based on their Universal Unique Identifier (UUID).
  • Blacklist configuration: Set a device to block Bluetooth connections from certain devices.
  • Whitelist configuration: Set a device to allow Bluetooth connections to certain devices.
> Bluetooth UUID blacklist
Select devices to block Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.
Note
When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.
Samsung Knox 1.0 or higher
> Bluetooth UUID whitelist
Select devices to allow Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.
Note
When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.
Samsung Knox 1.0 or higher
NFC control
Allows NFC (Near Field Communication) control.
Note
  • Samsung Knox 2.4 or higher is supported for Knox Workspace devices.
  • Android 10 (Q) or higher devices are not supported.
Samsung Knox 1.0 or higher
PC connection
Allows connecting user’s device to PC.
Samsung Knox 1.0 or higher, Android 1.0 or higher
USB tethering
Allows USB tethering.
Samsung Knox 1.0 or higher, Android 1.0 or higher
USB host storage (OTG)
Allows a device connection via OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse.
Note
To use DeX when the USB host storage (OTG) policy is disallowed, enable DeX in the Set USB exception allowed list policy. Then configure the Allow DeX mode policy to Allow.
Samsung Knox 1.0 or higher
> Set usb exception allowed list
Specify the use for the exception allowed list once the USB host storage (OTG) policy is disallowed.
Samsung Knox 3.0 or higher
> USB exception allowed list
Select the USB interface to use if the USB host storage (OTG) policy is disallowed.
Samsung Knox 3.0 or higher
USB debugging
Allows USB debugging.
Samsung Knox 1.0 or higher
Microphone
Allows use of the microphone.
Samsung Knox 1.0 or higher, Android 1.0 or higher
> Recording
Allows the use of microphone recording.
Samsung Knox 1.0 or higher
> S Voice
Allows the use of S Voice.
Samsung Knox 1.0 or higher
GPS
Allows using GPS.
  • Allow: Allows using GPS.
  • Disable On: Disallows turning on GPS. It is turned off at all times.
  • Disable Off: Disallows turning off GPS. It is turned on at all times.
Note
  • To use this policy, the GPS type on the user device must be set as one of the three types: High accuracy, Sleep, and GPS.
  • Devices running Android 10 (Q) or higher are not supported.
Samsung Knox 1.0 or higher
Wearable equipment policy inheritance
Set to use the existing Mobile policy for the Gear policy.
Samsung Knox 2.6 or higher

Security

Policy
Description
Supported devices
Device Password
Set the password for the device screen lock. Use of the camera is prohibited when the device is screen locked.
Note
  • When a user has forgotten their screen lock password, an administrator needs to send the Reset screen password device command, and then the user needs to enter a temporary password. A temporary password is generated randomly according to the set Device Password policies. For more information, see the screen lock password in Viewing the device details.
  • For Knox Workspace devices with a One Lock password, the password policy which is stronger between the Android Legacy and Knox Workspace area will be applied.
> Minimum strength
Set the minimum password strength on the screen.
The password strength increases in the following ascending order: Pattern < Numeric < Must be alphanumeric < Must include special characters.
  • Pattern: Set the password using a pattern or a password with a higher degree of complexity.
  • Numeric: Set the password using numbers or a password with a higher degree of complexity.
  • Alphanumeric: Set the password using alphanumeric characters or a password with a higher degree of complexity.
  • Complex: Set it so that the passwords must include alphanumeric and special characters.
Samsung Knox 2.0 or higher, Android 2.2 or higher
>> Maximum Failed Login Attempts
Set the maximum number of incorrect password attempts before access is restricted.
The value can be between 1 - 10 times.
Note
You can set this only when Numeric, Alphanumeric, or Complex is selected.
Samsung Knox 2.0 or higher, Android 2.2 or higher
>>> If maximum failed login attempts exceeded
Select the action to be performed when the maximum number of failed attempts is reached.
Note
Samsung Knox 1.0 or higher is supported for Knox Workspace devices.
  • Lock device: Locks the device.
Note
Android 10 (Q) or higher devices are not supported.
  • Factory reset + Initialize SD card: Simultaneously resets the user device and the SD card.
  • Factory reset: Resets the user device but not the SD card.
Samsung Knox 2.0 or higher, Android 2.2 or higher
>> Minimum length
Set the minimum length of the password.
The value can be between 4 - 16 characters.
Note
Minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.
Samsung Knox 2.0 or higher, Android 2.2 or higher
>> Expiration after (days)
Set the maximum number of days before the password must be reset.
The value can be between 0 - 365 days.
Note
Samsung Knox 2.0 or higher is supported for Knox Workspace devices.
Samsung Knox 1.0 or higher, Android 3.0 or higher
>> Manage password history (times)
Set the minimum number of new passwords that must be used before a user can reuse the previous password.
The value can be between 0 - 10 times.
Note
If the password is ‘Knox123!’ and the minimum value is set as 10, the user must use ten other passwords before reusing ‘Knox123!’ as password.
Samsung Knox 1.0 or higher, Android 3.0 or higher
>> Screen Lock Timeout (min)
Set the duration for locking the device when the user has not set up a password for the screen lock.
The value can be between 0 - 60 minutes.
Samsung Knox 1.0 or higher
>> Maximum length of sequential numbers
Set the maximum number of consecutive numeric characters allowed in a password.
The value can be between 1 - 10 words.
Samsung Knox 1.0 or higher
>> Maximum length of sequential characters
Set the number of consecutive letters allowed in a password.
The value can be between 1 - 10 words.
Samsung Knox 1.0 or higher
>> Block function setting on lock screen
Allows blocking functions on the lock screen.
Note
  • The visibility of the notifications on the lock screen depends on the options you set in the application.
  • Samsung Knox 2.4 - 2.9 is supported for Knox Workspace devices.
Android 5.0 or higher
>>> Block functions on lock screen
Select the function to be blocked on the lock screen when a password policy is set on a device.
  • All: Blocks all functions on the lock screen.
  • Camera: Blocks direct camera control on lock screen.
  • Trust Agent: Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, or when devices are added.
  • Fingerprint: Blocks the fingerprint unlock function.
  • Previews in pop-ups: Displays notifications on the lock screen but hides private content set in the application.
  • Notifications: All notifications are hidden via the lock screen
Note
This policy can be implemented only when the password level is set to pattern or higher.
> Maximum screen timeout
Set the maximum time limit that a user can linger before screen timeout.
Samsung Knox 2.0 or higher, Android 2.2 or higher
Connection attempt between server and device
Allows Knox Manage to retry connecting according to the value that you specified when the device is disconnected from Knox Manage. If not specified, communication will be reattempted twice every 15 minutes.
> Communication retry count
Set a retry count when a device is disconnected from Knox Manage and Knox Manage retries connecting to the device in 1 minute intervals.
If the device is disconnected continuously despite retrying on the specified count, Knox Manage will retry connecting according to the Communication retry interval (min) below.
The value can be between 1 - 60 times.
Android 1.0 (SDK 1) or higher
> Communication retry interval (min)
Set a retry interval for when a device is disconnected from Knox Manage. If Knox Manage receives the event that the device is available, the server will try to connect immediately despite the waiting time.
The value can be between 1 to 60 minutes.
Android 1.0 (SDK 1) or higher
Smartcard Browser Authentication
Allows Smartcard Browser Authentication within the internet browser.
When the policy is allowed, the Bluetooth security mode is applied while the device is connected to the smart card reader and will not accept other Bluetooth connections.
Note
  • To use this policy, Bluetooth smart card-related applications must be installed on the device and the smartcard must be registered in the Settings menu of the device.
  • Android 10 (Q) or higher devices are not supported.
Samsung Knox 1.0 or higher
Certificate deletion
Prevents users from deleting the certificate in the Settings menu of the device.
Samsung Knox 1.0 or higher
Certificate verification during installation
Set the system to validate the certificate during installation. If the certificate fails validation, it cannot be installed.
Samsung Knox 1.0 or higher
Attestation
Communicates with the attestation server to determine whether the user’s device is forged. If no option is selected, attestation will not be processed.
Samsung Knox 1.0.1 or higher
> Action when verification fails
Set the measure for when forgery of the device firmware is detected. If detected, the creation of a new Knox Workspace and the use of the existing Knox Workspace are prohibited.
  • Lock Knox Workspace: Locks the Knox Workspace.
  • Delete Knox Workspace: Deletes the Knox Workspace.
  • Lock device: Locks the device.
Note
Android 10 (Q) or higher devices are not supported.
  • Factory reset + Initialization SD Card: Simultaneously factory resets the user’s device and the SD card.
  • Factory reset: Resets the user device but not the SD card.
Samsung Knox 1.0.1 or higher
Google Android security update Policy
Allows the user to select whether to receive updates on the device.
  • Forced use: Set to receive security updates by default.
Samsung Knox 2.6 or higher

Kiosk

Policy
Description
Supported devices
Kiosk app settings
Select a Kiosk feature to use on a device.
  • Single app: Runs a single application on the device’s home screen.
  • Multi app: Runs multiple applications that are developed using the Kiosk Wizard.
  • Kiosk Browser: Opens webpages that are specified by the administrator.
Note
  • To use the Kiosk Browser, the Kiosk Browser application must be registered as a Knox Manage application. For more details, contact the TMS administrator.
  • Kiosks are not available with non-Samsung Android Legacy devices.
Samsung Knox 1.0 or higher
> Set application
Click Select and select a single Kiosk application from the list. Alternatively, click Add and manually add applications. For more information about adding single applications, see Creating a Single App Kiosk.
Samsung Knox 1.0 or higher
>Set application
Click Select and select multiple Kiosk applications from the list. Alternatively, click New and create a Multi App Kiosk the Kiosk Wizard. To learn how to use the Kiosk Wizard, see Exploring Kiosk Wizard.
Samsung Knox 1.0 or higher
> Set Kiosk Browser
When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser will be automatically selected.
> Default URL
Set the default page URL to call in the Kiosk Browser.
You can enter a URL that is up to 128 bytes including alphanumeric characters and some special characters (_,., -, *, /).
> Screen Saver
Use the screen saver for the Multi App Kiosk and the Kiosk Browser. When no user activity has been sensed for a certain amount of time, set it in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files will be activated on the device display.
Note
  • The Screen Saver only runs while the device is charging.
  • The Screen Saver for the Kiosk Browser only runs while the device is connected to a power source.
>> Screen Saver Type
Select either an image or video type screensaver.
>>> Image
Select image files for the screen saver. You can add up to 10 image files in the PNG, JPG, JPEG, or GIF format (animated files are not supported). Each image file must be less than 5 MB.
  • To upload an image file, click Browse and select a file.
  • To delete an image file, click next to the name of the uploaded image file.
Note
The device control command must be transferred to the device to apply an image file to it.
>>> Video
Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB.
  • To upload a video file, click Browse and select a file.
  • To delete a video file, click next to the name of the uploaded video file.
Note
The device control command must be transferred to the device to apply a video to it.
> Session timeout
Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL:
  • Apply: Enable the session timeout feature for the browser.
>> Time (sec)
Set the session timeout in seconds for the Kiosk Browser.
The value must be between 10 - 3600 secs (default is 1800).
> Text Copy
Allows the copying of text strings in the Kiosk Browser.
> Javascript
Allows the running of the JavaScript contained in websites.
> Http Proxy
Allows the use of an HTTP proxy for communications in the Kiosk Browser.
>> IP/Domain:Port
Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.
> User agent settings key value
Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header.
User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.
Delete Kiosk app when policy is removed
Allows deleting applications along with policies from the device when the applied policy is deleted.
Samsung Knox 1.0 or higher
Task manager
Allows the use of the Task Manager.
Note
You can use the function to disable the hardware key on SDK 2.5 or later.
Samsung Knox 1.0–2.4 or higher
System bar
Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom.
For non-Samsung devices, even if you selected either Allow status bar only or Allow navigation bar only, both the status bar and the navigation bar will be disabled.
Samsung Knox 1.0 or higher
Prohibit hardware key
Allows the use of the hardware keys
Samsung Knox 1.0 or higher
> Disallow hardware key(s)
Select hardware keys to disable.
The availability of Hardware keys can vary by device.
If you do not allow the use of the Task Manager, then it will not run, even if the user taps the left menu key in the Navigation bar at the bottom of the device.
Samsung Knox 1.0 or higher
Multi windows
Allows the use of multiple windows. This is available for devices that provide the functionality of multiple windows.
Samsung Knox 1.0 or higher
Air command
Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items appear when the user brings an S pen close to the screen.
Samsung Knox 2.2 or higher
Air view
Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content.
Samsung Knox 2.2 or higher
Edge screen
Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera.
Samsung Knox 2.5 or higher

Application

Policy
Description
Supported devices
Installation of application from untrusted sources
Allows the installation of applications from untrusted sources instead of just the Google Play Store.
Note
Android 8.0 or higher is supported for Knox Workspace devices.
Samsung Knox 1.0 or higher
Play Store
Allows using the Google Play Store.
Samsung Knox 1.0 or higher
YouTube
Allows using YouTube.
Samsung Knox 1.0 or higher
App Installation Back/Whitelist Setting
Set to control the application installation policies.
If no applications are added to the Application installation blacklist and the Application installation whitelist, then no other applications except for the Knox Manage Agent will be allowed to be executed and installed.
> App installation blacklist
Add applications to prohibit their installation.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Note
  • If a control application registered with a wildcard (*) in the package name is added to this policy, the specific package will not be installed.
e.g.) com.*.emm / com.sds.* / com.*.emm.*
  • Blacklisted applications cannot be installed and will be deleted even if they were previously installed.
  • An application that has been added on the Application installation whitelist cannot be added.
Samsung Knox 1.0 or higher
> App installation whitelist
Add applications to allow their installation.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Note
  • If a control application registered with a wildcard (*) in the package name is added to this policy, the specific package will not be installed.
e.g.) com.*.emm / com.sds.* / com.*.emm.*
  • Any applications not on the whitelist are deleted, even if they are not on the blacklist.
  • An application that has been added on the Application installation blacklist cannot be added.
  • Samsung Knox 2.0 or higher is supported for Knox Workspace devices.
Samsung Knox 1.0 or higher
Application execution Black/Whitelist Setting
Set to control the application execution policies.
If the policy changes or Knox Manage is unenrolled, hidden applications reappear.
Note
Android 8.0 (Oreo) or below is supported for non-Samsung devices.
> Application execution blacklist
Add applications to prevent their execution. Icon of the blacklisted application disappears and users cannot run the application.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
An application that has been added on the Application installation whitelist cannot be added.
Samsung Knox 1.0 or higher, Android 2.2 or higher
> Application execution whitelist
Add applications to allow their execution. Icons of applications that are not on the whitelist disappear automatically. Knox Manage and the preloaded applications are automatically registered on the whitelist.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
An application that has been added on the Application installation blacklist cannot be added.
Samsung Knox 1.0 or higher, Android 2.2 or higher
Application force stop prohibition list setting
Set to prohibit applications from force stop.
> Force stop blacklist
Add applications to prohibit from force stop.
Samsung Knox 1.0 or higher
Application execution prevention list setting
Allows application installation but prevents application execution.
> Application execution prevention list
Add applications to be displayed but not executable.
Listed applications can be installed and the icons will be displayed, but they will not be executed.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.0 or higher
Application uninstallation prevention list Settings
Set to control the application uninstallation policies.
> Application uninstallation prevention list
Add applications to prevent their uninstallation.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
Action when apps are compromised
Select from among the actions below to take if an internal or a kiosk application is compromised:
  • Disallow running: Prohibits the application’s execution.
  • Uninstall: Deletes an application.
  • Lock device: Locks the user’s device.
Note
Android 10 (Q) or higher devices are not supported.
  • Notify Alert: The compromised status of the device is reported on the Dashboard.
  • Factory reset + Initialize SD card: Simultaneously resets a user device and the SD card.
  • Factory reset: Resets the user device but not the SD card.
Note
Actions such as lock device, factory reset, and the notify alert will be applied but only for general Android devices and not for Samsung Galaxy and LG Electronic devices.
Samsung Knox 1.0 or higher
Show ProgressBar when installing apps
Set to display the ProgressBar, which displays the progress of the application downloads made in Knox Manage.
Samsung Knox 1.0 or higher, Android 1.0 or higher
Battery optimization exceptions
Set to exempt applications from the battery optimization function. This policy may cause battery loss.
Note
This policy is for devices running Android (Nougat) or later.
> Apps excluded battery optimization
Add applications to exempt them from the battery optimization function.
Samsung Knox 2.7 or higher

Location

Policy
Description
Supported devices
Report device location
Allows collecting location data.
  • User consent: Allows location data collection only with the user’s consent.
Note
  • When this policy is set to User consent, location data can only be collected after the user allows collection of device location data in the permission pop-up. The Report device location policy has a higher priority than the GPS policy or the locate the current position device command.
  • For devices running Android 10 (Q) or higher, this policy is supported only when the GPS is enabled in the device settings.
Samsung Knox 1.0 or higher, Android 2.3 or higher
> Report device location interval
Set an interval period to save the location data of the device.
Note
To set the collection interval, select either Allow or User Consent for the Report device location policy.
Samsung Knox 1.0 or higher, Android 2.3 or higher
High Accuracy Mode
Set to use for collecting accurate GPS locations of the devices.
Samsung Knox 1.0 or higher, Android 2.3 or higher

Browser

Browsers must be closed and opened again to apply the changes.
Policy
Description
Supported devices
Android browser
Allows using the Android browser.
Note
The disallowed setting or blacklist setting takes priority over others. If the disallowed setting is configured in any of the Android browser or the application blacklist policies, the Samsung Internet browser cannot be launched
Samsung Knox 1.0 or higher
> Cookies
Allows cookies in the Android browser.
Note
If cookies are not allowed, you cannot access websites that authenticate users with cookies.
Samsung Knox 1.0 or higher
> JavaScript
Allows JavaScript in the Android browser.
Samsung Knox 1.0 or higher
> Autofill
Allows auto-completion of information that you enter on websites in the Android browser.
Samsung Knox 1.0 or higher
> Pop-up block
Allows blocking pop-ups in the Android browser.
Samsung Knox 1.0 or higher
Browser proxy URL
Set the proxy server address for the Android browser in the general area.
Enter the value in the form of IP:port or domain:port in the fields.
Note
  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 4.0.1 - 5.6.
Samsung Knox 1.0.1 or higher

Phone

Policy
Description
Supported devices
Airplane mode
Allows the use of airplane mode.
Samsung Knox 2.0 or higher
Cellular data connection
Allows the use of a cellular data connection.
Note
This policy is applied after internal applications that have been set as Automatic (Non-removable) are installed. If the cellular data connection policy is not applied successfully, the device tries again to apply this policy 30 minutes later after Knox Manage is activated.
Samsung Knox 1.0 or higher
Prohibit voice call
Prohibits incoming and outgoing voice calls.
Samsung Knox 1.0 or higher
> Voice call
Specifies the types of voice call to block:
  • Incoming: Blocks incoming voice calls only.
  • Outgoing: Blocks outgoing voice calls only
If both are selected, only emergency calls can be received or made.
> Incoming Call blacklist
Add phone numbers to the blacklist to block incoming voice calls.
  • To add a phone number, enter it in the field and click .
  • To delete a phone number, click next to it.
> Outgoing Call blacklist
Add phone numbers to the blacklist to block outgoing voice calls.
  • To add a phone number, enter it in the field and click .
  • To delete a phone number, click next to it.
Data usage limit
Allows the limiting of data usage.
Samsung Knox 1.0 or higher
Data usage restrictions
Limits the maximum data usage for user devices. If data usage exceeds the limit set on a device, data use is no longer available.
To get precise information on the amount of usage, changing the date and time must not be allowed.
Samsung Knox 1.0 or higher
> Maximum usage
Set the maximum data amount for user devices for 1 day, 1 week, or 1 month.
Note
  • Daily usage is calculated at 12:00 p.m. each day, weekly usage on Sundays, and monthly usage on the first day of each month.
  • When the maximum data amount is reached, the data network will be blocked. But if the user allows the data network, the data usage of the user device will be reset.
Data connection during roaming
Allows data connection when roaming.
Samsung Knox 1.0 or higher
WAP push during roaming
Allows WAP push communication while using roaming.
Samsung Knox 1.0 or higher
Data sync during roaming
Allows data synchronization while roaming.
Samsung Knox 1.0 or higher
Voice calls during roaming
Allows voice calls while roaming.
Samsung Knox 1.0 or higher
Disallow SMS/MMS
Prohibits sending and receiving SMS/MMS messages.
Samsung Knox 1.0 or higher
> Disallow Incoming/Outgoing SMS/MMS
Specifies the types of SMS/MMS messages to block.
Note
At least one of the types should be selected.
> Incoming SMS blacklist
Add phone numbers to the blacklist to block incoming SMS/MMS messages.
  • To add a phone number, enter it in the field and click .
  • To delete a phone number, click next to it.
> Outgoing SMS blacklist
Add phone numbers to the blacklist to block outgoing SMS/MMS messages.
  • To add a phone number, enter it in the field and click .
  • To delete a phone number, click next to it.
Use SIM card locking
Prevents the use of the SIM card on a user device. To use this policy, the default PIN of the SIM card should be entered. Then, the new PIN number for the SIM card should be entered.
If the locked SIM card is registered to another device, the device is locked and the user must enter a valid PIN to unlock it.
Samsung Knox 1.0 or higher
> Default SIM PIN
Enter the default PIN found on the SIM card.
The value is a 4 - 8 digit number.
Note
This policy is designed for use by Corporate-Owned, Personally Enabled (COPE) devices and is only applied if the PIN found on SIM card matches the default PIN.
> New SIM PIN
Enter the new PIN number for the SIM card. The new PIN number can be found next to SIM PIN Number in the “Network“ tab of the “Device Detail” page.
The value is 4 - 8 digit numbers.
Set app voice recording whitelist
Allows recording phone conversations.
Note
If unspecified, voice recording is not allowed.
Samsung Knox 3.0 or higher
> App voice recording whitelist
Add applications that are allowed to record phone conversations to the whitelist.
Note
  • The registered voice recording applications cannot be deleted after being activated. To remove the registered applications, you must factory reset the device.
  • If the registered voice recording applications are activated on a device, the device USB connection is blocked.
Samsung Knox 3.0 or higher

Firewall

The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same address, a separate configuration is required.
Policy
Description
Supported devices
Firewall
Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.
Note
Samsung Knox 1.0 - 2.4.1 is supported for Knox Workspace devices.
Samsung Knox 1.0 - 2.4.1
> Permitted Policy (IP)
Input values to permit the target IP and port address. Configure the following:
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
  2. Select the Network Type:
  • All
  • Data: Only mobile network access is enabled.
  • Wi-Fi: Only Wi-Fi network access is enabled.
  1. Select Port Range:
  • All
  • Local: Port access from the device is enabled.
  • Remote: Port access from the target server is enabled.
  1. Click to add.
Note
  • Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited policy (IP) ranges.
  • Samsung Knox 2.5 is supported for Knox Workspace devices.
> Prohibited Policy (IP)
Input values to prohibit the target IP and port address. Configure the following:
  1. Enter or click Add to search the Package Name of the application.
  1. Enter the IP Address (range) and Port (range).
  • Enter a wildcard character (*) as an IP Address to prohibit the use of the bandwidth.
  1. Select Network Type:
  • All
  • Data: Mobile network access is disabled.
  • Wi-Fi: Wi-Fi network access is disabled.
  1. Select Port Range:
  • All
  • Local: Port access from the device is disabled.
  • Remote: Port access from the target server is disabled.
  1. Click to add.
Note
  • When entering the IP address, you can use a wildcard character (*) to disabled the bandwidth usage.
  • Samsung Knox 2.5 is supported for Knox Workspace devices.
Samsung Knox 2.5 or higher
> Permitted Policy (Domain)
Input values to permit the target domain address.
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
Note
  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name.
e.g.) *android.com / www.samsung*
  • Samsung Knox 2.6 is supported for Knox Workspace devices.
Samsung Knox 2.6 or higher
> Prohibited policy (Domain)
Input values to disable the target domain address.
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
Note
Use a wildcard character (*) to disable a specific domain.
Samsung Knox 2.6 is supported for Knox Workspace devices.
Samsung Knox 2.6 or higher
> DNS setting
Input values to specify the domain server address of all applications or registered applications.
  1. Enter or click Add to search the Package Name of the application.
  1. Input DNS values.
  • DNS1: Primary DNS.
  • DNS2: Secondary DNS.
Note
Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.
Samsung Knox 2.7 or higher
Note
  • If there are multiple firewalls, restricted firewalls have a higher priority.
  • If a firewall is configured to all applications as well as in specific applications, the policy for each application has a higher priority.

Logging

Policy
Description
Supported devices
Save logs
Set to enable the save logs feature.
  • Enable: Set to perform logging. This is the default value.
  • Disable: Cannot record device logs.
Note
If this policy is not specified, the Knox Manage performs logging with the DEBUG level.
Samsung Knox 1.0 or higher, Android 1.0 or higher
> Log level
Select a log level.
  • DEBUG: Logs detailed device information for the developers.
  • INFO: Logs device information for the administrators.
  • WARNING: Logs information that are not errors, but the ones that require special attention for the administrators.
  • ERROR: Logs error information.
  • FATAL: Logs critical error information, such as system interruption.
Samsung Knox 1.0 or higher, Android 1.0 or higher
> Maximum log size (MB)
Enter value for the maximum log size.
The value can be between 1 - 20 MB.
Samsung Knox 1.0 or higher, Android 1.0 or higher
> Maximum days for storage (day)
Enter value for the maximum days for log storage.
The value can be between 1 – 30 MB.
Samsung Knox 1.0 or higher, Android 1.0 or higher

DeX

Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a monitor, keyboard, and mouse to a Dex docking station, the mobile device can function as a desktop computer
In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blacklist setting.
Policy
Description
Supported devices
Allow DeX mode
Allows the use of DeX mode.
  • Disallow: The DeX station will not function even if a mobile device is mounted on it.
Samsung Knox 3.0 or higher
Allow Ethernet only
Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked.
Samsung Knox 3.0 or higher
Application execution blacklist(Android)
Use the blacklist for running DeX applications.
Samsung Knox 3.0 or higher
> Application execution blacklist
Prohibits launching the specified applications.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
  • Any applications that already have been added to the Application whitelist cannot be added to the Application blacklist.
  • When this policy is enabled and applied, the icons of the blocked applications will disappear so that users cannot launch them. However, the applications are not deleted. The icons will reappear once the policy is changed or Knox Manage is disabled.

Wi-Fi

You can add more Wi-Fi policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each Wi-Fi setting.
Description
Enter a description for each Wi-Fi setting.
Network Name (SSID)
Enter an identifier of a wireless router to connect to.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Remove available
Allows users to delete the Wi-Fi settings.
Security type
Specifies the access protocol used and whether certificates are required.
> WEP
Set a WEP KEY index from WEP KEY 1 to 4.
> WPA/WPA2-PSK
Enter a password.
> 802.1xEAP
Configure the following items:
  • EAP Method: Select an authentication protocol from among PEAP, TLS, and TTLS.
  • 2-step authentication: Select one from PAP, MSCHAP, MSCHAPV2, or GTC as a secondary authentication method. This is available when EAP Method is set to TTLS or TLS.
  • User information input method: Select an input method for entering user information.
  • Manual Input: Enter the user ID and Password for the Wi-Fi connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Connector interworking: Choose a connector from the User Information Connector.
  • User Information: Use the user information registered in Knox Manage to access Wi-Fi.
  • User certificate input method: Select a user certificate confirmation method.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.
Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
  • CA certificate: Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root will appear on the list.
Proxy configuration
Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.
> Manual
Configure the proxy server manually.
  • Proxy host name: Enter the host name of the IP address of the proxy server
  • Proxy port: Enter the port number used by the proxy server
  • Proxy exception: Enter the IP address or domain address that cannot be accessed through the proxy server.
If server authentication is required to use the proxy server, check the Server authentication check box.
  • User name: Enter the username for the proxy server.
  • Password: Enter the password for the proxy server.
> Proxy automatic configuration
Configure the proxy server automatically.
You should enter a PAC web address in the PAC web address field, the URL of the PAC file that automatically determines which proxy server to use.

Exchange

You can add more Exchange policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each exchange setting.
Description
Enter a description for each exchange setting.
Remove available
Allows users to delete the exchange settings.
Office 365
Allows to configure the Exchange settings by automatically filling out the
Exchange server address and the SSL option as ‘Use’.
User information input method
Select an input method for entering user information.
> Manual Input
Select to manually enter the email address, account ID, and password of a user.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
> Connector interworking
Select to choose a connector from the User Information Connector list.
Note
All the connectors are listed in Advanced > System Integration > Directory Connector.
> User Information
Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user’s device.
Domain
Enter a domain address for the exchange server.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Exchange server address
Enter the exchange server information such as IP address, host name or URL.
Note
If Office365 is selected, outlook.office365.com will be automatically entered.
Sync measure for the early data
Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the email application settings.
User certificate input method
Select an input method for entering certificate information.
> EMM Management Certificate
Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • User Certificate: Select a certificate to use from the User Certificate list.
> Connector interworking
Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • User certificate Connector: Select a connector to use from the User certificate Connector list.
> Issuing external CA
Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
  • Issuing external CA: Select an external CA to use from the Issuing external CA list.
Sync calendar
Syncs schedules on a calendar from an Exchange server or a mail server to a device.
Sync contacts
Syncs contact information in a phone book from a server to a device.
Sync task
Syncs tasks items from a server to a device.
Sync notes
Syncs notes from a server to a device.
SSL
Set to use SSL for email encryption.
Note
If Office365 is selected, the SSL option is automatically set to ‘Use’.
Signature
Enter the email signature to use.
Notification
Notifies the user of new emails.
Always vibrate on notification
Notifies the user of new emails with a vibration.
Silent notification
Mutes email notifications.
Note
Always vibrate on notification and Silent notification cannot be used at the same time.
Attachment capacity (byte)
Enter the email attachment file size limit in bytes.
The input value ranges from 1 to 52428800 (50MB).
Maximum Size of Email Body (Kbyte)
Select a maximum value for the email body size. This is only set once during the initial Exchange ActiveSync setup.
> Default Size of Email Body (Kbyte)
Select the default value for the email body size. This is only set once during the initial Exchange ActiveSync setup.

Email Account

You can add more email account policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each email account setting.
Description
Enter a description for each email account setting.
Remove available
Allows users to delete the email account settings.
Default Account
Specifies to use the default account.
User information Input Method
Select an input method for entering user information.
> Manual Input
Select to manually enter the email address, server ID and password of a user.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
> Connector interworking
Select a connector from the user information connector list.
Note
The connectors are listed in Advanced > System Integration > Directory Connector.
> User information
Select to access the relevant mail server using the registered Knox Manage email, ID and password.
Note
The password must be entered from the user’s device.
Incoming Server Protocol
Select between the POP3 (pop3) and IMAP (imap) protocol.
Outgoing Server Protocol
Entered automatically as SMTP.
Incoming Server Address/port
Enter the Incoming Server address/port in a provided format.
Outgoing Server Address/port
Enter the outgoing server address/port and port in a provided format.
Incoming Server ID
Enter an incoming server ID to log in to the incoming mail server manually.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Note
This protocol is only available when Manual Input is selected.
Outgoing Server ID
Enter an outgoing server ID to manually log in to the outgoing mail server.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Note
This protocol is only available when Manual Input is selected.
Incoming Server Password
Enter an incoming server password to manually log in to the incoming mail server.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Note
This protocol is only available when Manual Input is selected.
Outgoing Server Password
Enter an outgoing server password to manually log in to the outgoing mail server
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Note
This protocol is only available when Manual Input is selected.
Incoming SSL
Select to use SSL for encryption.
Outgoing SSL
Select to use SSL for encryption.
Notification
Select an email notification method.
  • Enable Notification: Activates email notification.
  • Enable ‘Always notify by vibrate mode’: Notifies the user of new emails with a vibration.
  • Disable Notification: Deactivates email notification.
All incoming certificates
Allows receiving certificates.
All outgoing certificates
Allows sending certificates.
Signature
Enter an email signature to use.
Account Name
Assign an account name.
Sender Name
Assign a sender name.

Bookmark

You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on Samsung Galaxy devices. You can add more bookmark policy sets by clicking .
Note
  • Browsers must be closed and opened again to apply the changes.
  • Even if a user modifies a registered bookmark or registers a bookmark with the same URL and name, it will not be deleted when the bookmark setting is deleted.
  • Even if a user manually deletes the set bookmark, due to the limitations of Samsung devices, the application may still appear to be installed. In this case, you have to delete the bookmark in the profile, and then recreate the bookmark.
  • The auto-installation of Bookmark settings is supported on devices running Android 6.0 Marshmallow or Android 7.0 Nougat, and only when BookMark is chosen in the Installation area.
Policy
Description
Configuration ID
Assign a unique ID for each bookmark setting.
Description
Enter a description for each bookmark setting.
Installation area
Specifies a location to install the bookmark.
  • BookMark: Saves a bookmark in the S browser.
  • ShortCut: Creates a shortcut for the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher.
  • If a Shortcut has been selected, auto installation is not supported.
  • Shortcut icons may not be able to be created depending on the type of launcher set by the user. An administrator cannot delete the shortcut icon, but the user can delete it manually.
Bookmark page URL
Enter a website address to go to when a bookmark is selected.
Bookmark name
Enter the bookmark name to be displayed as a title in the bookmark.

APN

You can add more APN policy sets by clicking .
Policy
Description
Configuration ID
Enter an APN name to be displayed on the device.
Description
Enter a description for an APN.
Remove available
Allows users to delete APN settings. If you choose Disallow, then the button used to delete APN settings is disabled.
Access Point Name (APN)
Enter the name of the access point.
Access Point Type
Select the type of the access point.
  • Default: default type.
  • MMS: Multimedia Messaging Service.
  • Supl: IP-based protocol to receive GPS satellite signals.
Mobile Country Code (MCC)
Enter the country code for the APN.
Mobile Network Code (MNC)
Enter the carrier network code for the APN.
MMS Server (MMSC)
Enter the server information for sending multimedia messages.
  • MMS Proxy Server: Enter the information of the proxy server for sending multimedia messages.
  • MMS Proxy Server Port: Enter the port number of the proxy server for sending multimedia messages.
Server
Enter the WAP gateway server name.
Proxy Server
Enter the information of the proxy server.
Proxy Server Port
Enter the port number of the proxy server.
Access Point User Name
Enter the user name of the access point.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Access Point Password
Enter the password of the access point.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Authentication Method
Select an authentication method.
  • None: Disables authentication.
  • PAP: Requires a user name and password for authentication.
  • CHAP: Uses encryption with a Challenge string for authentication.
  • PAP or CHAP: Uses the PAP or CHAP authentication method.
Set as Preferred APN
Applies APN settings to the device.

Knox VPN

Knox VPN settings are provided to help you set up a VPN on a Samsung Galaxy device more easily. You can add more Knox VPN policy sets by clicking .
Note
When Knox Workspace is used on an Android Legacy device, only one Knox VPN can be set on a device regardless of the Knox Workspace area or general area. If the Knox VPN vendor is Cisco, then it can be installed in both areas. To use a Knox VPN on both areas, you need to install the vendor’s VPN Client application in each area.
Policy
Description
Configuration ID
Assign a unique ID for the Knox VPN setting.
VPN name
Enter a VPN name to display on the user device.
Description
Enter a description for the Knox VPN setting.
Remove available
Allows users to delete the Knox VPN settings.
VPN vendor name
Select a VPN vendor from between Cisco and User defined. Input fields vary depending on the selected VPN vendor name.
Note
Select User defined to set up a different vendor’s VPN service, such as the Sectra mobile VPN. For more information, see Entering a VPN vendor manually.
VPN client vendor package name
Entered automatically according to the selected VPN vendor name. If User defined is selected, you must manually enter this protocol.
VPN type
Select a protocol.
Entering methods for Knox VPN
Select an entering method for Knox VPN information.
Note
Input fields vary depending on the selected VPN vendor and the entering method.
Upload Knox VPN profile
Allows uploading a Knox VPN profile when you set Entering methods for Knox VPN to Upload profile.
You can upload a text file in the JSON format. JSON varies depending on the VPN vendor and VPN type.
For more information about sample files, see the sample file of a Sectra Mobile VPN configuration in Entering a VPN vendor manually and see the sample file of Cisco VPN configuration in Sample file for uploading a Knox VPN profile.
User certificate input method
Select an input method for entering certificate information.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
CA Certificate
Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Knox VPN and the Type set as Root will appear on the list.
Server certificate
Select a certificate to use from the certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as Knox VPN and the Type set as User will appear on the list.
FIPS mode
Allows the use of FIPS mode.
FIPS (US Federal Information Processing Standards) encrypts all data with FIPS-140-2 authentication modules between the server and client.
Auto Re-connection
Allows connecting automatically when an error occurs.
VPN route type by application
Select to use a VPN for selected applications or for all applications in the General area.
  • By Application: Click Add next to The VPN applied package name per app and select applications, and then click Save.
  • All packages of general area: All applications in the General area are subject to a VPN.

Entering a VPN vendor manually

To use a VPN provided by a vendor other than Cisco, select User defined in the VPN vendor name field. Then upload a text profile in the JSON format. The VPN Client must be installed on the device before using a VPN.
For example when a Sectra VPN is used, set the options as below:
  1. Enter com.sectra.mobilevpn in the VPN client vendor package name field.
  1. Set VPN type to SSL.
  2. Click Add next to Upload Knox VPN profile and upload a configuration file with the Sectra Mobile VPN configuration parameters set.
  • Upload a file in the JSON format to fully integrate the Sectra Mobile VPN in the Knox Manage portal.
  • Set the parameters as shown in the example below.
Parameter
Description
Example
profileName
The name of the VPN configuration profile that will be listed on the Knox Manage application and the VPN client GUI.
Sectra Mobile VPN
servers
A list of 1 – 6 VPN servers with IP addresses and a network port. This list will be in an order of priority, with the default VPN server being the first on the list. The remaining VPN servers will be used only if the default server is damaged.
[
{“address”:”1.1.1.1”,“port”:443}
{“address”:”2.2.2.2”, “port”:444}
{“address”:”3.3.3.3”, “port”:445}
]
pkcx12BaseUrl
A download server’s HTTP/S URL, where the encrypted key materials are downloaded to.
mtuSize
The MTU (Magnetic Tape Unit) is a size used on Knox Manage’s virtual network interface. It is the maximum size for the outgoing UDP (User Datagram Protocol) tunnel packets before being fragmented
The value must be between 576 – 1500 bytes.
1300
UseDtle
Determines whether a DTLS tunnel is used. A DTLS tunnel should be used if sensitive data is being transmitted in real-time.
E.g.) When streaming video and/or using VoIP calls.
The value must be either True or False. If unsure, set to True.
True
diffServe
Tunnel packets’ QoS (Quality of Serve) tag sent from a client. Differentiated service is part of an IP header.
The value must be between 0 – 63. 0 means disabled.
0
tcpKeepAlive
Timer value for the interval of a KeepAlive packet sent from a TCP tunnel.
The value must be between 1 – 18000.
  • Sectra recommends to set this value as 1200 seconds since is compatible with most mobile networks.
Note
This is an important parameter that needs to be selected with caution.
1200
dtlsInactivityTimeout
The timer value for the standby period of a DTLS tunnel that determines how long it idles without receiving any data before it goes inactive.
The value must be between 1 – 300 seconds.
Note
Sectra does not recommend setting this value to 300 seconds.
30
trarricProfiles
1 – 3 traffic profiles the users can choose, for when a normal configuration is not sufficient. Traffic profiles can change the following configuration parameters: mtuSize, useDtls, diffServ, tcpKeepAlive and/or dtlsInactivityTimeout. The traffic profile also requires the name of the profile which is shown in the client GUI.
[ {“profileName”:”BadNetworkProfile”,”mtuSize”:800, “tcpKeepAlive”:600},
{“profileName”:”RealTimeProfile”,”mtuSize”:1500, “useDtls”:”true”, “diffServ”:63}
]
The following is a sample file of a Sectra Mobile VPN configuration:
{
         “KNOX_VPN_PARAMETERS”:{
                    “profile_attribute”:{
                                 “profileName”:”Sectra Mobile VPN”,
                                 “vpn_type”:”ssl”,
                                 “vpn_route_type”:1
                     },
                     “knox”:{
                                 “connectionType”:”keepon”
                     },
                      “vendor”:{
                                 “connection”:{
                                            “servers”: [
                                                       {“address”:”1.1.1.1”, “port”:443},
                                                       {“address”:”2.2.2.2”, “port”:444},
                                                       {“address”:”3.3.3.3”, “port”:555}
                                            ],
                                            “ssl”: {
                                                       “basic”: {
                                                               “pkcs12BaseUrl”:”http://download.server.com/certs/”,
                                                               “mtuSize”:1300,
                                                               “useDtls”:true,
                                                               “diffServ”:0,
                                                               “tcpKeepalive”:1200,
                                                               “dtlsInactivityTimeout”:30
                                                       }
                                            }
                                 },
                                 “trafficProfiles”: [
                                            {
                                                       “profileName”: “BadNetworkProfile”,
                                                       “mtuSize”:800,
                                                       “tcpKeepAlive”:600
                                            },
                                            {
                                                       “profileName”:”RealTimeProfile”,
                                                       “mtuSize”:1500,
                                                       “useDtls”:”true”,
                                                       “diffServ”:63
                                            }
                                 ]
                     }
           }
}

Configuring a Knox VPN profile manually

You can manually enter a profile only when the VPN vendor is Cisco. Select Manual Input in the Entering method for Knox VPN field. Then set the options as below:
  1. Enter the IP address, host name, or URL of the VPN server in the Server address.
  • The VPN route type, which enables the use of VPN tunneling, is automatically entered.
  1. Select to use user authentication.
  2. Select a VPN connection type.
  • Keep On: Keep the VPN connection.
  • On Demand: Connect to the VPN upon request.
  1. Select the chaining type.
  2. Select to use the UID PID.

Sample file for uploading a Knox VPN profile

The following is a sample file with Cisco as the VPN vendor and IPSec as the VPN type:
{
         “KNOX_VPN_PARAMETERS”:{
                  “profile_attribute”:{
                           “profileName”:”c1”,
                           “host”:”12.3.456.78”,
                           “isUserAuthEnabled”:true,
                           “vpn_type”:”ipsec”,
                           “vpn_route_type”:1
                  },
                  “ipsec”:{
                           “basic”:{
                                    “username”:””,
                                    “password”:””,
                                    “authentication_type”:1,
                                    “psk”:””,
                                    “ikeVersion”:1,
                                    “dhGroup”:0,
                                    “p1Mode”:2,
                                    “identity_type”:0,
                                    “identity”:”test@sta.com”,
                                    “splitTunnelType”:0,
                                    “forwardRoutes”:[
                                             {
                                                      “route”:””
                                             }
                                    ]
                           },
                           “advanced”:{
                                    “mobikeEnabled”:false,
                                    “pfs”:true,
                                    “ike_lifetime”:”10”,
                                    “ipsec_lifetime”:”25”,
                                    “deadPeerDetect”:true
                           },
                           “algorithms”:{
                           }
                  },
                  “knox”:{
                           “connectionType”:”keepon”,
                           “chaining_enabled”:”-1”,
                           “uidpid_search_enabled”:”0”
                  },
                  “vendor”:{
                           “setCertCommonName”:”space”,
                           “SetCertHash”:”pluto”,
                           “certAuthMode”:”Automatic”
                  }
         }
}
The following is a sample file with Cisco, as the VPN vendor, and SSL, as the VPN type:
{
         “KNOX_VPN_PARAMETERS”:{
                  “profile_attribute”:{
                           “profileName”:”c3”,
                           “host”:”cisco-asa.gnawks.com”,
                           “isUserAuthEnabled”:true,
                           “vpn_type”:”ssl”,
                           “vpn_route_type”:1
                  },
                  “ssl”:{
                           “basic”:{
                                    “username”:”demo”,
                                    “password”:”samsung”,
                                    “authentication_type”:1,
                                    “splitTunnelType”:0,
                                    “forwardRoutes”:[
                                             {
                                                      “route”:””
                                             }
                                    ]
                           },
                           “algorithms”:{
                                    “ssl_algorithm”:0
                           }
                  },
                  “knox”:{
                           “connectionType”:”keepon”,
                           “chaining_enabled”:”-1”,
                           “uidpid_search_enabled”:”0”
                  },
                  “vendor”:{
                           “setCertCommonName”:”space”,
                           “SetCertHash”:”pluto”,
                           “certAuthMode”:”Automatic”
                  }
         }
}

VPN

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for the VPN setting.
VPN Name
Enter a VPN name to display on the user device.
Description
Enter a description for the VPN setting.
Remove available
Allows users to delete the VPN settings.
Connection type
Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type.
  • PPTP: Set if PPP should be encrypted (MPPE).
  • L2TP/IPSec PSK: Enter parameters in the L2TP Secret Key, IPSec Identifier, and IPSec Pre-shared Key fields.
  • L2TP/IPSec RSA, IPSec Xauth RSA, IPSec Hybrid RSA: Select a root certificate from IPSec CA Certificates. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as VPN and the Type set as Root will appear on the list.
  • IPSec Xauth PSK: Enter parameters in the IPSec Identifier and IPSec Pre-shared Key fields.
Server address
Enter the IP address, host name, or URL of the VPN server that the device needs to access.
User information input method
Select an input method for entering user information.
  • Manual Input: Enter the user ID and Password for the VPN connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Connector interworking: Choose a connector from the User information Connector. All the connectors are listed in Advanced > System Integration > Directory Connector.
  • User Information: Use the user information registered in Knox Manage to access the VPN.
PPP Encryption (MPPE)
Allows to encrypt data for the VPN connection.
DNS search domain
Enter the DNS name.
DNS server
Enter the DNS server address.
Forwarding route
This is automatically entered when Subnet Bits is selected.
Subnet Bits
The value can be set as none or select from /1 to /30.

Certificate

You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. You can add more certificate policy sets by clicking .
Policy
Description
Configuration
Assign a unique ID for each certificate setting.
Description
Enter a description for each certificate setting.
User certificate input method
Select an input method for entering certificate information.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding external certificates.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Certification category
Select a certification category when EMM Management Certificate is selected in User certificate input method,
  • CA certificate: Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list.
  • User certificate: Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User will appear on the list.

Configuring Knox Workspace (Android Legacy) Policies

Create a profile and register policies for Knox Workspace devices.
You can configure the policies below for Knox Workspace devices. The availability of each policy varies depending on the OS version.
  • Allows various features, such as screen capture, clipboard, and share via apps.
  • Allows adding a new Wi-Fi network or using a microphone and other features.
  • Configures the security settings, such as passwords and lock screen.
  • Configures options for application controls such as installation, blacklist/whitelist, and execution prevention.
  • Allows the use of the Android browser and configuring the settings for it.
  • Configures the IP or a domain firewall policy for each application.
  • Allows data transfers between the Knox Workspace area and the general area.
  • Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.
  • Configures the settings of a POP or IMAP email account.
  • Configures the bookmark settings such as the configuration ID and bookmark name.
  • Configures the VPN (Virtual Private Network) on a Knox Workspace.
  • Allows using new certificate authority (CA) certificates and configuring the certificate settings.

System

Policy
Description
Supported devices
Screen capture
Allows using the screen capture function in the Knox Workspace.
Note
Even if this policy is disallowed, you can still use the screen capture function through the Remote Support Viewer in Remote Support.
Samsung Knox 1.0 or higher
Clipboard
Allows the clipboard feature.
  • Allow within the same app: The clipboard function can only be used within the same application.
Samsung Knox 1.0 or higher
Share via apps
Allows the share app function in the Knox Workspace.
Samsung Knox 1.0 or higher
Google account synchronization
Allows Google account synchronization in the Knox Workspace.
Samsung Knox 2.0 or higher
App crash report to Google
Report application error occurrence information to Google in the Knox Workspace.
Samsung Knox 1.0 or higher
System app close
Allows forceful system application shutdowns in the Knox Workspace.
Samsung Knox 1.0 or higher
Trusted Boot Verification
Allows Trusted Boot.
Samsung Knox 2.0 or higher
Third Party Keyboard
Allows the use of third Party Keyboards.
Samsung Knox 2.0 - 2.9
Add Email Account
Allows adding accounts from the default email application on the device.
Samsung Knox 1.0 or higher
Domain whitelist setting
Set to use the email domain whitelist setting.
Note
  • The Add email account policy has a higher priority than the Domain whitelist setting policy.
  • The Domain whitelist setting policy does not apply if the Add email account policy is set to Disallow.
> Domain Whitelist
Enter the email domain whitelist to add.
  • To add a domain, enter the domain name in the field, and click .
  • To delete a domain, click next to the added domain name.
Samsung Knox 1.0 or higher
Allow Remote Control
Allows remote control within the Knox Workspace via Remote Support.
Remote Support should be installed in the general area.
Note
Policy changes using Remote Support in the Knox Workspace do not apply to the Remote Support Viewer immediately. In this case, reload the Knox Workspace area.
Samsung Knox 2.2 or higher

Interface

Policy
Description
Supported devices
Add a new Wi-Fi network
Allows adding a new Wi-Fi network connection in the Knox Workspace.
Samsung Knox 1.0 - 2.4.1
Microphone
Allows the controls for Microphone use in the Knox Workspace.
Note
If this policy is disallowed, video recording is also disallowed.
Samsung Knox 1.0 or higher
> Recording
Allows using microphone recording in the Knox Workspace.
Samsung Knox 1.0 or higher
Camera
Allows using the camera in the Knox Workspace.
Note
  • If the camera policy in the General area is disallowed, camera use in the Knox Workspace is also prohibited.
  • This policy allows taking pictures but disallows video recording.
Samsung Knox 1.0 or higher
Allow USB access
Allows using USB devices, such as printers and scanners, via OTG in the Knox Workspace.
  • Disallow is the default value.
Note
  • This policy is only allowed for non-storage USB devices in USB accessary mode.
  • Devices from Verizon, the United States telecommunications provider, are not supported.
Samsung Knox 2.5 or higher
> Allow access of USB devices
Set USB products to use in a specific application.
  1. Enter the Package Name.
  1. Select the Vendor ID.
  2. Enter the Product ID.
  • Only 4-digit, hexadecimal characters can be entered.
  • Multiple inputs should be separated by commas.
  • Only the product ID for the selected vendor can be entered.
  1. Click to add, or click to delete.
Samsung Knox 2.1 or higher
Bluetooth Low Energy
Allows use of the Bluetooth Low Energy feature in the Knox Workspace. To use this policy, set the Bluetooth connections in the general area to Allow.
Samsung Knox 2.4 or higher
Phone Book Access Profile (PBAP) via Bluetooth
Allows use of the Phone Book Access Profile (PBAP). Contacts on the Knox Workspace are sent to the connected device if this policy is allowed.
Samsung Knox 2.7 or higher
NFC control
Allows control of the NFC (Near Field Communication).
Samsung Knox 2.4 or higher

Security

Policy
Description
Supported devices
Knox Container Password
Use a password to lock Knox Workspace.
Use of the camera is prohibited when the device is screen locked.
Note
  • For devices with a One Lock password, the password policy that is stronger between Android Legacy and the Knox Workspace area will be applied.
  • When a user has forgotten their Knox Workspace password, the administrator needs to send the Reset screen password device command, and then the user needs to enter a temporary password. For more information, see the Knox password in Viewing the device details.
  • If the Prohibited words policy has been set, then the password cannot be reset with a temporary password containing the specified prohibited words. If this happens, you will need to disable the Prohibited words policy, save the relevant profile again, and then apply it.
> Enterprise identity Authentication
Controls Knox Workspace unlock with an enterprise ID.
  • Use: Allows the choice to use an enterprise ID to log in.
  • Forced use: Forces the use of an enterprise ID to log in.
Samsung Knox 2.4 or higher
>> Domain Address
Enter the domain address of the enterprise identity server. The http(s) prefix can be omitted.
Samsung Knox 2.4 or higher
>> Setup file
Select a file to install inside the Knox Workspace for enterprise ID authentication.
Note
You can select an application such as Samsung SSO Authenticator (com.sec.android.service.singlesignon), from the application list. Applications must be pre-enrolled either on Application > Internal application or Application > Public application.
Samsung Knox 2.4 or higher
>> Enable FIDO
Use FIDO (Fast ID Online) authentication in a Knox Workspace when using an enterprise ID.
Samsung Knox 2.7 or higher
>>> Request URL
Set the URL to request for FIDO authentication.
Samsung Knox 2.7 or higher
>>> Response URL
Set the URL to respond to FIDO authentication
Samsung Knox 2.7 or higher
>>> FIDO App Installed List
Manage the applications to use for FIDO authentication.
Note
The essential applications required for FIDO authentication are automatically added to the list. You can add an additional application if needed.
Samsung Knox 2.7 or higher
> Minimum strength
Set the minimum password strength on the screen.
  • Pattern: Set the password using a pattern or any other password with a higher degree of complexity, such as Numeric, Alphanumeric, or Complex options.
  • Numeric: The password must consist of a 4 digit number or be more complex. The screen can be locked using the Numeric, Alphanumeric, and Complex types of passwords.
  • Alphanumeric: Both letters and numbers must be included. The screen can be locked using with the Alphanumeric and Complex types of passwords.
  • Complex: Set so that the passwords must include alphanumeric and special characters.
Samsung Knox 2.0 or higher
>> Maximum Failed Login Attempts
Set the maximum number of incorrect password attempts before access is restricted.
The value can be between 0 - 10 times.
Samsung Knox 2.0 or higher
>>> Action for failing allowed count to retry password
Select the action to be taken when the maximum number of failed attempts is reached.
A Workspace control command must be sent to unlock the Knox Workspace.
  • Lock Knox Workspace: When the set number of password attempts has been reached, the Knox Workspace is locked.
  • Wipe Knox Workspace: When the set number of password attempts has been reached, the Knox Workspace is deleted.
Samsung Knox 1.0 or higher
>> Expiration after (days)
Set the maximum number of days before the password must be reset.
The value can be between 0 - 365 days.
Samsung Knox 2.0 or higher
>> Manage password history (times)
Set the minimum number of new passwords that must be used before a user can reuse the previous password.
The value can be between 0 - 10 times.
Samsung Knox 2.0 or higher
>> Minimum length
Set the minimum length of the password.
If the Minimum strength is set to Pattern, at least more than one stroke is required.
In the case of Complex, it must be equal to or greater than the sum of the Minimum number of letters and Minimum number of non-letters.
The value can be between 4 - 16 characters for Numeric or Alphanumeric.
The value can be between 6 - 16 characters for Complex.
Note
The minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.
Samsung Knox 2.0 or higher
>> Minimum number of letters
Set the minimum password length.
If the Minimum strength is set to Must be alphanumeric, the number 1 must be entered.
In the case of Must include special characters, the default value is the number 3. If you want to enter another number, the number must be equal or greater than the sum of the Minimum number of lowercase letters and the Minimum number of capital letters:
The value can be between 1 – 10 characters.
The default value is 1 character for Alphanumeric.
The default value is 3 characters for Complex.
Samsung Knox 2.0 or higher
>> Minimum number of lowercase letters
Set the minimum number of lowercase letters required in the password.
The value can be between 1 - 10 characters.
Samsung Knox 2.0 or higher
>> Minimum number of capital letters
Set the minimum number of uppercase letters required in the password.
The value can be between 1 - 10 characters.
Samsung Knox 2.0 or higher
>> Minimum number of non-letters
Set the minimum number of numbers and special characters required in the password.
If Minimum strength is set to Must include special characters, the default value is the number 2. If you want to enter another number, the number must be equal or greater than the sum of Minimum number of numeric characters and the Minimum number of special characters.
The value can be between 1 - 10 characters.
The default value is 2 characters for Must include special characters.
Samsung Knox 2.0 or higher
>> Minimum number of numeric characters
Set the minimum number of numeric characters allowed in the password.
The value can be between 1 - 10 characters.
The default value is 2 characters for Must include special characters.
Samsung Knox 2.0 or higher
>> Minimum number of special characters
Set the minimum number of special characters required in the password.
The value can be between 1 -10 characters.
The default value is 1 character for Must include special characters.
Samsung Knox 2.0 or higher
>> Maximum length of repeated characters
Set maximum number of duplicated characters.
The value can be between 1 -10 characters.
Samsung Knox 1.0 or higher
>> Maximum length of sequential numbers
Set the maximum number of consecutive numeric characters allowed in a password.
The value can be between 1 - 10 words.
Samsung Knox 1.0 or higher
>> Maximum length of sequential characters
Set the number of consecutive letters allowed in a password.
The value can be between 1 - 10 words.
Samsung Knox 1.0 or higher
>> Minimum length of character change
Set the minimum length of letters that users must change from the previous password. If the Minimum strength is set to Number, Must be alphanumeric, or Must include special characters, it must be less than the Minimum length.
The value can be between 1 - 10 words.
Samsung Knox 1.0 or higher
>> Prohibited words
Allows the use of prohibited words in a password.
>>> Set prohibited words
Set prohibited words in a password.
  • To add a word, enter the word in the field and click .
  • To delete a word, click next to the added word.
Samsung Knox 1.0 or higher
Maximum screen timeout
Set the maximum time limit that a user can linger before screen timeout.
Samsung Knox 2.0 or higher
Password visibility settings
Shows the password when entering it.
Samsung Knox 1.0 or higher
Pattern lock visibility settings
Shows the password when entering it.
Samsung Knox 1.0 or higher
Smartcard Browser Authentication
Allows Smartcard Browser Authentication within the internet browser.
When the policy is allowed, the Bluetooth security mode is applied while the device is connected to the smart card reader and will not accept other Bluetooth connections.
Note
  • To use this policy, Bluetooth smart card-related applications must be installed on the device and the smartcard must be registered in the Settings menu of the device.
  • Android 10 (Q) or higher devices are not supported.
Samsung Knox 1.0 or higher
Unlock with fingerprint
Allows the use of the fingerprint unlock control.
Samsung Knox 2.1 or higher
Unlock with iris
Allows the use of the iris unlock control.
Samsung Knox 2.2 or higher
Enforce Multi factor Authentication
Allows the use of two-step authentication.
  • Use: Forces the screen lock to release via fingerprint or iris recognition.
  • Do not use: Disables the two-step authentication settings via your fingerprint or iris recognition.
Note
When the Knox Workspace is created, it is set to select only two factor authentication on the password setup stage. Even when the manager chooses to disable ‘Unlock with fingerprint’ or ‘Unlock with Iris, you can still use your fingerprint or iris for two-step verification.
Samsung Knox 2.0 or higher
Block function setting on lock screen
Blocks the function set in the lock screen.
> Block functions on lock screen
Set the lock screen function options.
  • Trust Agent: Set whether to use the Knox Quick Access on the lock screen.
Samsung Knox 2.4 - 2.9

Application

Policy
Description
Supported devices
Installation of application from untrusted sources
Allows the installation of applications from untrusted sources instead of just the Google Play Store.
Android 8.0 or higher
App Installation Black/Whitelist Setting
Set to control the application installation policies on the Knox Workspace.
> Application installation blacklist
Add applications to prohibit their installation on the Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Note
  • If a control application registered with a wildcard (*) in the package name is added to this policy, the specific package will not be installed.
e.g.) com.*.emm / com.sds.* / com.*.emm.*
  • Previously installed blacklisted applications will also be removed.
  • An application that has been added on the Application installation whitelist policy cannot be added.
Samsung Knox 1.0 or higher
> Application installation whitelist
Add applications to allow their installation on the Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Note
  • If a control application registered with a wildcard (*) in the package name is added to this policy, the specific package will not be installed.
e.g.) com.*.emm / com.sds.* / com.*.emm.*
  • Any applications not on the whitelist are deleted, even if they are not on the blacklist.
  • An application that has been added to the Application installation blacklist policy cannot be added.
Samsung Knox 2.0 or higher
App Execution Blacklist Setting
Set to control the execution blacklist on the Knox Workspace.
> Application execution blacklist
Add applications to prevent their execution in Knox Workspace. Icon of the blacklisted application disappears and users cannot run the application.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
An application that has been added to the Application installation whitelist policy cannot be added.
Samsung Knox 1.0 or higher
Application execution prevention list setting
Allows application installation but prevents application execution.
> Application execution prevention list
Add applications to be displayed but not executable on the Knox Workspace. Listed applications can be installed and the icons will be displayed, but they will not be executable.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.0 or higher
Application uninstallation prevention list Setting
Set to control the application uninstallation policies.
> Application uninstallation prevention list
Add applications to prevent their uninstallation on Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
App installation authority whitelisting settings
Set the applications with installation permissions on Knox Workspace.
> Application installation whitelist
Add applications to allow installation on the Knox Workspace. Selected applications will be added to the View list with the package name of the applications.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
GMS application
Allows Google Mobile Service (GMS) application installation. If the GMS application policy is disallowed, the basic applications provided by Google do not appear.
Samsung Knox 2.0 or higher
TIMA CCM profile whitelist
Allows the use of the TIMA Client Certificate Manager (CCM) profile on Knox Workspace.
  • Entire application: Applications in the Knox Workspace can access TIMA CCM.
  • Whitelist Application: Only the added applications on the whitelist can access TIMA CCM.
> TIMA CCM profile application whitelist
Add applications to access the TIMA CCM on the Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.1 or higher
TIMA CCM profile app access restriction exception list settings
Allows only the set applications to access the TIMA CCM profile even when the Knox Workspace is locked.
> TIMA CCM profile app access restriction exception list
Add applications to access the TIMA CCM profile even when the Knox Workspace is locked.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
  • If Whitelist Application is selected in the TIMA CCM profile whitelist policy, only the whitelisted applications can access TIMA CCM.
  • If Entire application is selected in the TIMA CCM profile whitelist policy, the access restrictions of the applied applications are excluded.
Samsung Knox 2.1 or higher
Settings for whitelisting apps allowing external SD card
Allows the use of an external SD card in Knox Workspace. The external SD card cannot be used by default in the Knox Workspace.
> Whitelisted apps for external SD card
Add applications that can use an external SD card.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.2 or higher
Battery optimization exceptions
Set to exempt applications from the battery optimization function. This policy may cause battery loss.
> Apps excluded from battery optimization
Add applications to exempt from the battery optimization function on Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.7 or higher
Set General area app installation
Allows the applications installed in the general area to be installed in the Knox Workspace area.
> General area app installation list
Add the applications in the general area to be installed in the Knox Workspace area.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
A list of Android platform applications is displayed in Profile > Manage Control App.
Samsung Knox 2.1 or higher
App Data deletion control setting
Allows control of the deletion of the internal application data inside Knox Workspace.
> App Data deletion prevention list
Add applications to protect the internal application data from being deleted. The internal data delete button is disabled to block users from arbitrarily deleting application data.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Note
Add the registered application to the App Data deletion protection list policy with a wildcard character in the package name. Then the application data for the specific registered package cannot be deleted.
e.g.) com.*.Knox Manage / com.sds.* / com.*.Knox Manage.*
Samsung Knox 1.0 or higher
> App Data deletion protection exception list
Add applications to delete the internal application data.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
Application force stop prohibition list setting
Set to prohibit application from force stop.
> Force stop blacklist
Add applications to prohibit force stop.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
Show ProgressBar when installing apps
Set to display the ProgressBar, which displays the progress of the application downloads made in Knox Manage.
Samsung Knox 1.0 or higher

Browser

Browsers must be closed and opened again to apply the changes.
Policy
Description
Supported devices
Android browser
Allows using the Android browser in the Knox Workspace.
Samsung Knox 1.0 or higher
> Cookies
Allows cookies in the Android browser of the Knox Workspace.
Samsung Knox 1.0 or higher
> JavaScript
Allows JavaScript in the Android browser of the Knox Workspace.
Samsung Knox 1.0 or higher
> Autofill
Allows auto-completion of information that you enter on websites in the Android browser of the Knox Workspace.
Samsung Knox 1.0 or higher
> Pop-up block
Allows blocking pop-ups in the Android browser of the Knox Workspace.
Samsung Knox 1.0 or higher
Browser proxy URL
Set the proxy server address for the Android browser in the Knox Workspace.
Enter the value in the form of IP:port or domain:port in the fields.
Note
  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 1.0.1 - 2.6.
Samsung Knox 1.0 or higher

Firewall

The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same address, a separate configuration is required.
Policy
Description
Supported devices
Firewall
Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.
Samsung Knox 1.0 - 2.4.1
> Firewall type
Select and configure the firewall type to use in Knox Workspace.
  • All Packages: Input values for Permission policy and Prohibition policy.
Note
Android 10 (Q) or higher devices are not supported.
  • By Application: Input values for Permission policy (IP), Prohibition policy (IP), Permitted policy (Domain), Prohibited policy (Domain), and DNS setting.
>> Permission policy
Input values to permit access through the firewall.
  1. Enter a Host Pattern and Port.
  1. Select a Network Type:
  • All
  • Data: Only mobile network access is enabled.
  • Wi-Fi: Only Wi-Fi network access is enabled.
  1. Select Port Range:
  • All
  • Local: Port access from the device is enabled.
  • Remote: Port access from the target server is enabled.
  1. Click to add.
Note
Before setting this policy, disable all IPs and ports by entering a wildcard character (*) to the Prohibited policy (IP) ranges
Samsung Knox 1.0 - 2.4.1
>> Prohibition policy
Input values to prohibit access through the firewall.
  1. Enter a Host Pattern and Port.
  1. Select Network Type:
  • All
  • Data: Only mobile network access is disabled.
  • Wi-Fi: Only Wi-Fi network access is disabled.
  1. Select Port Range:
  • All
  • Local: Port access from the device is disabled.
  • Remote: Port access from the target server is disabled.
  1. Click to add.
Samsung Knox 1.0 - 2.4.1
>> Permitted policy (IP)
Input values to permit the target IP and port address. Configure the following:
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
  2. Select the Network Type:
  • All
  • Data: Only mobile network access is enable.
  • Wi-Fi: Only Wi-Fi network access is enable.
  1. Select Port Range:
  • All
  • Local: Port access from the device is enable.
  • Remote: Port access from the target server is enable.
  1. Click to add.
Note
Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited policy (IP) ranges.
Samsung Knox 2.5 or higher
>> Prohibited policy (IP)
Input values to prohibit the target IP and port address. Configure the following:
  1. Enter or click Add to search the Package Name of the application.
  1. Enter the IP Address (range) and Port (range).
  • Enter a wildcard character (*) as an IP Address to prohibit the use of the bandwidth.
  1. Select Network Type:
  • All
  • Data: Mobile network access is disable.
  • Wi-Fi: Wi-Fi network access is disable.
  1. Select Port Range:
  • All
  • Local: Port access from the device is disable.
  • Remote: Port access from the target server is disable.
  1. Click to add.
Note
When entering the IP address, you can use a wildcard character (*) to disable the bandwidth usage.
Samsung Knox 2.5 or higher
>> Permitted policy (Domain)
Input values to permit the target domain address.
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
Note
  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name.
e.g.) *android.com / www.samsung*
Samsung Knox 2.6 or higher
>> Prohibited policy (Domain)
Input values to prohibit the target domain address.
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
Note
Use a wildcard character (*) to disable a specific domain.
Samsung Knox 2.6 or higher
>> DNS setting
Input values to specify the domain server address of all applications or registered applications.
  1. Enter or click Add to search the Package Name of the application.
  1. Input DNS values.
  • DNS1: Primary DNS.
  • DNS2: Secondary DNS.
Note
Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.
Samsung Knox 2.7 or higher

Container Data

Policy
Description
Supported devices
Moving an application to container
Allows moving applications from the general area to the Knox Workspace.
Note
Android 10 (Q) or higher devices are not supported.
Samsung Knox 2.0 or higher
Moving a file to Knox area
Allows moving files from the general area to the Knox Workspace.
Samsung Knox 2.0 or higher
Moving a file to General area
Allows moving files from the Knox Workspace to the general area.
Samsung Knox 2.0 or higher
Calendar sync setting
Allows syncing calendar data between the general area and the Knox Workspace.
Android 8.0 or lower
> Calendar data sync
Set how the calendar data is synced between the general area and the Knox Workspace:
  • Allow Import: Allows to import the calendar data of the general area to the Knox Workspace.
  • Allow Export: Allow to export the calendar data of the Knox Workspace to the general area.
Samsung Knox 2.0 or higher
Contacts sync setting
Allows syncing contact data between the general area and the Knox Workspace.
> Contacts data sync
Sets Data Loss Protection (DLP):
  • Allow Import: Allows to import the calendar data of the general area to the Knox Workspace.
  • Allow Export: Allows to export the calendar data of the Knox Workspace to the general area.
Samsung Knox 2.0 or higher
Copy and Paste Clipboard per Profile
Allows copying and pasting with the clipboard between the personal and work areas.

Exchange ActiveSync

You can add more Exchange Active policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each Exchange setting.
Description
Enter a description for each Exchange setting.
Remove available
Allows users to delete the Exchange settings in Knox Workspace.
Office 365
Allows to configure the Exchange settings.
Note
This policy will automatically fill out the Exchange server address and the SSL option as ‘Use’.
User information input method
Select an input method for entering user information.
> Manual Input
Select to manually enter the email address, account ID, and password of a user.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
> Connector interworking
Select to choose a connector from the User Information Connector list.
Note
All the connectors are listed in Advanced > System Integration > Directory Connector.
> User Information
Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user’s device.
Domain
Enter a domain address for the Exchange server.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Exchange server address
Enter the Exchange server information such as IP address, host name or URL.
Sync measure for the early data
Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the email application settings.
Email sync Interval
Select the interval period to sync the past emails.
Note
The sync interval and synchronization are in accordance with the email application settings.
User certificate input method
Select an input method for entering certificate information.
> EMM Management Certificate
Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Certificate: Select a certificate to use from the User Certificate list.
> Connector interworking
Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • User certificate Connector: Select a connector to use from the User certificate Connector list.
> Issuing External CA
Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
  • Issuing external CA: Select an external CA to use from the Issuing external CA list.
Sync calendar
Syncs schedules on a calendar from a server to a device.
Sync contacts
Syncs contact information in a phone book from a server to a device.
Sync task
Syncs tasks items from a server to a device.
Sync notes
Syncs notes from a server to a device.
SSL
Set to use SSL for email encryption.
Note
If Office365 setting is used, the SSL option is automatically set to ‘Use’.
Signature
Enter the email signature to use.
Notification
Notifies the user of new emails.
Always vibrate on notification
Notifies the user of new emails with a vibration.
Silent notification
Mutes email notifications.
Note
Always vibrate on notification and Silent notification cannot be used at the same time.
Attachments capacity (byte)
Enter the email attachment file size limit in bytes.
The input value ranges from 1 to 52428800 (50MB).
Maximum Size of Email Body (Kbyte)
Select a maximum value for the email body size. This is only set once during the initial Exchange ActiveSync setup.
> Default Size of Email Body (Kbyte)
Select the default value of the email body size.
Note
Select this setting after the Maximum Size of Email Body (Kbyte) setting.

Email Account

You can add more email account policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each email account setting.
Description
Enter a description for each email account setting.
Remove available
Allows users to delete the email account settings in Knox Workspace.
Default Account
Specifies to usage of the default account.
User Information input method
Select an input method for entering user information.
> Manual Input
Select this to enter the email address manually. You can also enter the incoming server ID, incoming server password, outgoing server ID, and outgoing server password for the email connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
> Connector interworking
Select a connector from the user information connector.
Note
The connectors are listed in Advanced > System Integration > Directory Connector.
> User Information
Select to access the relevant mail server using the registered Knox Manage email, ID, and password. The password must be entered from the user’s device.
Incoming Server Protocol
Select between the POP3 (pop3) and IMAP (imap) protocol.
Outgoing Server Protocol
Entered automatically as SMTP.
Incoming Server Address/port
Enter the Incoming Server address/port in a provided format.
Outgoing Server Address/port
Enter the outgoing server address in a provided format.
Incoming Server ID
Enter an incoming server ID to log in to the incoming mail server manually. This protocol is only available when Manual Input is selected.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Outgoing Server ID
Enter an outgoing server ID to log in to the outgoing mail server manually. This protocol is only available when Manual Input is selected.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Incoming Server Password
Enter an incoming server password to log in to the incoming mail server manually. This protocol is only available when Manual Input is selected.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Outgoing Server Password
Enter an outgoing server password to manually log in to the outgoing mail server. This protocol is only available when Manual Input is selected.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Incoming SSL
Select this to use SSL encryption.
Outgoing SSL
Select this to use SSL encryption.
Notification
Select an email notification method.
  • Enable Notification: Activates email notification.
  • Enable ‘Always notify by vibrate mode’: Notifies the user of new emails with a vibration.
  • Disable Notification: Deactivates email notification.
All incoming certificates
Allows receiving certificates.
All outgoing certificates
Allows sending certificates.
Signature
Enter an email signature to use.
Account Name
Assign an account name.
Sender Name
Assign a sender name.

Bookmark

You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on Samsung Galaxy devices. You can add more bookmark policy sets by clicking .
Note
  • Browsers must be closed and opened again to apply the changes.
  • Even if a user modifies a registered bookmark or registers a bookmark with the same URL and name, it will not be deleted when the bookmark setting is deleted.
  • Even if a user manually deletes the set bookmark, due to the limitations of Samsung devices, the application may still appear to be installed. In this case, you have to delete the bookmark in the profile, and then recreate the bookmark.
Policy
Description
Name
Assign a unique ID for each bookmark setting.
Description
Enter a description for each bookmark setting.
Bookmark page URL
Enter a website address to go to when a bookmark is selected.
Bookmark name
Enter a bookmark name to be displayed as the title in a bookmark.

Knox VPN

Knox VPN settings are provided to help you set up a VPN on a Knox Workspace more easily. You can add more Knox VPN policy sets by clicking .
Note
Only one Knox VPN can be set on a device regardless of the Know Workspace area or General area.
Policy
Description
Configuration ID
Assign a unique ID for the Knox VPN setting.
VPN name
Enter a VPN name to display on the user device.
Description
Enter a description for the Knox VPN setting.
Remove available
Allows users to delete the Knox VPN setting.
VPN vendor name
Select a VPN vendor among F5, Juniper, Cisco, and User defined. Input fields vary depending on the selected VPN vendor name.
Note
Select User defined to set up a different vendor’s VPN service, such as Sectra mobile VPN. For more information, see Entering a VPN vendor manually.
VPN client vendor package name
Entered automatically according to the selected VPN vendor name. If User defined is selected, you must manually enter this protocol.
VPN type
Entered automatically when you selected F5 or Juniper. If other vendors are selected, you must manually select this protocol.
Entering methods for Knox VPN
Select an entering method for Knox VPN information.
Note
Input fields vary depending on the selected VPN vendor and the entering method.
Upload Knox VPN profile
Allows uploading a Knox VPN profile when you set Entering methods for Knox VPNs to Upload profile.
You can upload a text file in the JSON format. JSON varies depending on the VPN vendor and VPN type.
For more information about sample files, see the sample file of a Sectra Mobile VPN configuration in Configuring a Knox VPN profile manually and see the sample file of Cisco VPN configuration in Sample file for uploading a Knox VPN profile.
User certificate input method
Select an input method for entering certificate information.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate.
Note
All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Authentication Method
Select an authentication method.
  • Not Applicable: Disables authentication.
  • Certificate-based Authentication: Uses certificates for authentication in the Knox VPN setting.
  • CAC-based Authentication: Uses two-factor authentication provided by CAC (Common Access Card).
CA Certificate
Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Knox VPN and the Type set as Root will appear on the list.
Server certificate
Select a certificate to use from the certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as Knox VPN and the Type set as User will appear on the list.
FIPS mode
Allows the use of FIPS mode.
FIPS (US Federal Information Processing Standards) encrypts all data with FIPS-140-2 authentication modules between the server and client.
Auto Re-connection
Allows connecting automatically when an error occurs.
VPN route type by application
Select to use a VPN for selected applications or for all applications in the General area.
  • By Application: Click Add next to The VPN applied package name per app and select applications, and then click Save.
  • All Packages: All applications in the General area are subject to a VPN.

Configuring a Knox VPN profile manually

You can manually enter a profile when Manual Input is selected in the Entering methods for Knox VPN field. Set the options as below:
  1. Enter the IP address, host name, or URL of the VPN server in the Server address.
  • The VPN route type, which enables the use of VPN tunneling, is automatically entered.
  1. Select to use user authentication.
  2. Enter the user information for authentication depending on the selected method of entering user information:
  • If the VPN vendor is set to F5 or Juniper, configure the following:
Method
Description
Manual Input
Enter the user ID and Password for the VPN connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Connector interworking
Choose a connector from the User information Connector.
All the connectors are listed in Advanced > System Integration > Directory Connector.
User Information
Use the user information registered in Knox Manage to access a VPN.
  1. Select a VPN type and enter the parameters. Required parameters vary depending on the selected VPN type.
  • If the VPN type is set to SSL, enter the SSL algorithm that the server requires for the SSL algorithm section.
  1. Select a VPN connection type.
  • KEEP ON: Keep the VPN connection.
  • On Demand: Connect to the VPN upon request.
  1. Select the chaining type.
  2. Select to use the UID PID.
  3. Select to use the Logon mode.
  • Logon mode is used when the VPN vendor name is set to F5.

Certificate

You can add more certificate policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each certificate setting.
Description
Enter a description for each certificate setting.
User certificate input method
Select an input method for entering certificate information.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate.
Note
All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Certificate category
Select a certification category when EMM Management Certificate is selected in User certificate input method,
  • CA certificate: Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list.
  • User certificate: Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User will appear on the list.

Configuring iOS Policies

Create a profile and register policies for iOS devices.
You can configure the policies below for iOS devices. The availability of each policy varies depending on the OS version.
  • Allows features such as camera, screen capture, and Siri.
  • Configures the password settings.
  • Allows using Gamer Center, iMessage, and YouTube, and also enables configuring options for application controls, such as installation and blacklist/whitelist.
  • Configures the phone settings such as video calling and voice dialing.
  • Allows the use of AirDrop and the transferring of data between managed applications and unmanaged applications.
  • Allows using the Safari browser and configuring its settings.
  • Configures the iCloud settings, such as backup, iCloud photo library, and photo sharing.
  • Enables selecting a country to choose the level of media content, such as movies, TV shows, and applications
  • Configures Wi-Fi settings, such as SSID, security type, and proxy.
  • Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.
  • Configures VPNs (Virtual Private Network) on iOS devices.
  • Allows using new certificate authority (CA) certificates and configuring the certificate settings.
  • Configures the SSO (Single Sign On) settings for one-click access to all applications.
  • Configures the cellular network settings, such as AttachAPN and APNs.
  • Configures the AirPrint settings to enable computers to automatically detect an AirPrint printer.
  • Allows the delivering of new fonts to devices.
  • Configures the display of web shortcuts on an iOS device.
  • Configures the functions of an application that is locked down on a supervised device
  • Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.
  • Configures the AirPlay settings to allow iOS devices to share content.
  • Configures the settings for the Web content filter to control accessing specific URLs on a web browser.
  • Specifies URLs or subdomains to allow downloading content from these domains without any restrictions.
  • Configures network usage rules to control which applications can access data or when the device is roaming.

System

Policy
Description
Supported devices
Camera
Allows using the camera.
iOS 4.0 or higher
Screen capture
Allows use of the screen capture function, which is already set as default.
iOS 4.0 or higher
Siri
Allows using Siri.
iOS 5.0 (iPhone 4S)
iOS 6.0 (iPad 3)
> Siri on lock screen
Allows using Siri on the lock screen.
iOS 5.1 (iPhone 4S)
iOS 6.0 (iPad 3)
> Web search result on Siri
Allows displaying the web search results on Siri.
iOS 7.0 or higher
Supervised
> Profanity filter on Siri
Select to use the Profanity filter on Siri.
  • Forced use: Users are forced to use the Profanity filter on Siri.
  • User selection: Users are allowed to select whether to use the Profanity filter on Siri.
iOS 5.0 (iPhone 4S)
iOS 6.0 (iPad 3) or higher
Supervised
Submission of diagnosis and usage details
Allows submitting diagnostic results and usage information to the manufacturer.
Note
Personally identifiable or sensitive information will be data masked.
iOS 6.0 or higher
Passbook on lock screen
Allows using the Passbook on the lock screen.
iOS 6.0 or higher
Control center on lock screen
Allows using the Control center on the lock screen.
iOS 7.0 or higher
Display notifications on lock screen
Allows displaying the notifications on the lock screen.
iOS 7.0 or higher
Display Today view on lock screen
Allows displaying the Today view on the lock screen.
iOS 7.0 or higher
Manual installation for profile
Allows manual installation of the Apple Configuration Profile.
iOS 6.0 or higher
Supervised
Control editing account information
Allows editing the account information.
iOS 7.0 or higher
Supervised
Automatic updates of certificate trust settings
Allows automatic updates of the certificate trust settings.
iOS 7.0 or higher
Encryption for iTunes backup
Select to encrypt the iTunes backup.
  • Forced use: Users are forced to encrypt.
  • User selection: Users are allowed to select whether to encrypt.
iOS 7.1 or higher
iTunes pairing
Allows iTunes connection with unauthorized PCs.
iOS 7.0 or higher
Supervised
Limited Ad tracking
Select to use the Limit Ad tracking.
  • Forced use: Users are forced to use Limit Ad tracking.
  • User selection: Users are allowed to select whether to use Limit Ad tracking.
iOS 7.0 or higher
Factory reset
Allows a device to factory reset.
iOS 8.0 or higher
Supervised
Result of web search with Spotlight
Allows displaying the web search results from Spotlight search.
iOS 8.0 or higher
Supervised
Block configuration
Allows users to configure any restrictions on the menus by activating the block menu function. If the policy is prohibited, the users cannot configure the device via the block menu function.
iOS 8.0 or higher
Supervised
Change device name
Select to automatically change the device name to a mobile ID when updating the profile.
For this policy, you can send a device command to set the device name as the mobile ID.
iOS 8.0 or higher
Supervised
Allow Bluetooth Modification
Allows modifying Bluetooth settings on the device.
iOS 10.0 or higher
Supervised

Security

Policy
Description
Supported devices
Password policies
Set to apply the password policy when the screen is locked.
> Password strength
Set the password strength on the screen.
  • None: Set the password with a four digit number.
  • Numeric: Set the password using numbers
  • Must be alphanumeric: Set the password using alphanumeric characters.
  • Must include special characters: Set it so that the passwords must include alphanumeric and special characters.
iOS 4.0 or higher
> Maximum Failed Login Attempts
Set the maximum number of incorrect password attempts before resetting the device to its factory settings.
The value can be between 0 - 10 times.
iOS 4.0 or higher
> Minimum length
Set the minimum length of the password.
The value can be between 0 - 16 characters.
iOS 4.0 or higher
> Expiration after (days)
Set the maximum number of days before the password must be reset.
The value can be between 0 - 730 days.
iOS 4.0 or higher
> Manage password history (times)
Set the minimum number of new passwords that must be used before a user can reuse the previous password.
The value can be between 0 - 50 times.
iOS 4.0 or higher
> Screenlock time (min)
Set the maximum inactive time before the screen of the device is locked. The maximum allowed time varies by device-type.
Note
1, 3, and 4 minute intervals are available with iPhone. 10 and 15 minute intervals are available with iPad.
iOS 4.0 or higher
> Screenlock grace period (min)
Set the time duration for device lock after turning off a device screen without entering the password.
Note
Select 0 to lock the device immediately.
iOS 4.0 or higher
> Screen unlock with Touch ID
Allows screen unlock with Touch ID.
iOS 7.0 or higher

Application

Policy
Description
Supported devices
Application installation
Allows the installation of applications.
Note
Applications can be installed using MDM but cannot be installed using iTunes.
iOS 4.0 or higher
> Allow App Store to install Apps
Allows using the App Store for application installation.
Note
Applications can be installed using MDM but cannot be installed using iTunes.
iOS 9.0 or higher
Supervised
Application uninstallation
Allows applications to be deleted.
iOS 6.0 or higher
Supervised
iTunes Store
Allows using the iTunes Store.
iOS 4.0 or higher
> Explicit content on music and podcasts
Allows the purchase of explicit content from the iTunes Store.
iOS 4.0 or higher
Supervised
> Require iTunes password for every purchase
Select to require the iTunes Store password for every purchase made in the iTunes Store.
iOS 5.0 or higher
Game Center
Allows using Game Center.
iOS 6.0 or higher
Supervised
> Adding friends in Game Center
Allows adding friends in Game Center.
iOS 4.0 or higher
> Multiplayer games
Allows multiplayer games in Game Center.
iOS 4.0 or higher
Supervised
iBookstore
Allows iBookstore.
iOS 6.0 or higher
Supervised
Inappropriate content download on iBookstore
Allows downloading unrated media content.
iOS 6.0 or higher
Supervised (iOS 6.1 or below)
iMessage
Allows using the messaging application.
iOS 6.0 or higher
Supervised
YouTube
Allows using YouTube.
iOS 5.1 or lower
Find friends
Allows the Find My Friends function.
iOS 7.0 or higher
Supervised
In-app purchase
Allows in-app purchases.
iOS 4.0 or higher
Application black/whitelist Settings
Set to control the application installation policies. Both the blacklist and whitelist policies can be applied at the same time.
Note
If the Application black/whitelist Settings policy is set with no applications, then no other applications except for the Knox Manage Agent will be allowed to be executed and installed.
iOS 4.0
> Application installation blacklist
Add applications to prohibit their installation. Blacklisted applications will be deleted even if they were previously installed.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
An application that has been added on the Application installation whitelist cannot be added.
iOS 4.0 or higher
> Application installation whitelist
Add applications to allow their installation. Any applications not on the whitelist are deleted, even if they are not on the blacklist.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
An application that has been added on the Application installation blacklist cannot be added.
iOS 4.0 or higher
Autonomous single app mode
Set to use Autonomous Single App Mode, which enables applications to use Single App Mode on request. This policy grants a permission to perform the Application Lock function.
iOS 7.0 or higher
Supervised
> List of apps allowing auto single app mode
Add applications to autonomously enable or disable Single App Mode.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
iOS 7.0 or higher
Supervised
To trust company app
Allows the trusted Company applications. Company applications installed before the policy has been set can still be executed.
iOS 9.0 or higher

Phone

Policy
Description
Supported devices
Modification of cellular data settings for each application
Allows modifying cellular data usage per application.
iOS 7.0 or higher
Supervised
Video calling
Allows video calling.
iOS 4.0 or higher
Voice dialing
Allows video dialing.
iOS 4.0 or higher
Background fetch for roaming
Allows background fetch when roaming.
iOS 4.0 or higher

Share

Policy
Description
Supported devices
Data transfer from managed to unmanaged applications
Allows transferring data from managed applications installed by Knox Manage to unmanaged applications installed by users.
iOS 7.0 or higher
Data transfer from unmanaged to managed applications
Allows transferring data from unmanaged applications installed by users to managed applications installed by Knox Manage.
iOS 7.0 or higher
AirDrop
Allows the use of AirDrop.
iOS 7.0 or higher
Supervised
Consider AirDrop not managed
Allows the sharing of managed documents when using AirDrop on the device.
iOS 9.0 or higher
Supervised

Browser

Policy
Description
Supported devices
Safari
Allows using Safari, the default iOS browser.
iOS 4.0 or higher
Cookies
Set the cookies permission in Safari.
  • Disallow: Disallows accepting cookies.
  • Currently only connected websites are allowed: Allows accepting cookies from the currently connected sites.
  • Only visited websites are allowed: Allows accepting cookies from the visited sites.
  • Always: Always allows cookies.
iOS 6.0 or below
JavaScript
Allows JavaScript in Safari.
iOS 6.0 or below
Autofill
Allows auto-completion of information that you enter on websites in Safari.
iOS 4.0 or higher
Block pop-ups
Allows blocking pop-ups in Safari.
iOS 4.0 or higher
Untrusted TLS certificate
Allows to accept untrusted TLS certificates.
iOS 5.0 or higher
Web forgery warning
Shows a warning message about potentially fraudulent websites.
  • Forced use: Safari is forced to display a warning message.
  • User selection: Users are allowed to select whether to use web forgery warning.
iOS 4.0 or higher

iCloud

Policy
Description
Supported devices
Backup
Allows backing up the device data on iCloud.
iOS 5.0 or higher
Document synchronization
Allows synchronizing device documents on iCloud.
iOS 5.0 or higher
iCloud Photo Library
Allows use of the iCloud Photo Library for uploading photos and videos on iCloud.
iOS 9.0 or higher
Photo stream
Allows using Photo Stream for storing personal photos on iCloud.
iOS 5.0 or higher
Photo sharing
Allows using Photo Sharing for sharing personal photos through iCloud.
iOS 6.0 or higher
Keychain synchronization
Allows synchronizing Keychain Synchronization on iCloud, which helps users to have consistent access to their user account, name, password, credit card number, email, contracts, schedule, and other user information on all their devices.
iOS 7.0 or higher
Managed app synchronization
Allows synchronizing managed applications installed by the Knox Manage server to save data on iCloud.
iOS 8.0 or higher
Handoff
Allows the use of Handoff, one of the Apple’s Continuity features, to move and continue performing the same tasks seamlessly between devices through iCloud.
iOS 8.0 or higher

Media

Policy
Description
Supported devices
Rating for each country
Select a country to set a rating level for media content, such as movies, TV shows, and applications, from below:
  • United States/United Kingdom/New Zealand/Japan/Ireland/Germany/France/Canada/Australia.
iOS 4.0 or higher
> Movies
Set the maximum allowable movie rating.
iOS 4.0 or higher
> TV Shows
Set the maximum allowable TV show rating.
iOS 4.0 or higher
> Apps
Set the advertisement tracking restriction on the device.
iOS 4.0 or higher

Wi-Fi

You can add more Wi-Fi policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each Wi-Fi setting.
Description
Enter a description for each Wi-Fi setting.
Network name (SSID)
Enter the identifier of a wireless router to connect to.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Security Type
Specifies the access protocol used and whether certificates are required.
> WEP
Set a password.
> WPA/WPA2
> For all individuals
> Enterprise WEP
Configure the following items:
  • Protocol
  • Permitted EAP Type: Select the EAP types to permit. You can select multiple types.
  • EAP-FAST: Configure the EAP-FAST options. Enable the next options by clicking the previous one.
  • A dynamic trust decision by the user: Select whether to use the option.
  • Allow direct connection(Proxy URL): Select whether to use the option.
  • Authentication
  • One-time password for connection: Check to enable.
  • Manual Input: Enter the user ID and Password for the Wi-Fi connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Connector interworking: Choose a connector from the User information Connector.
  • Trust
  • Root Certificate: Select a Root Certificate to use.
> Enterprise WPA/WPA2
> For all enterprises
Hotspot Availability
Check to enable Hotspot usage and configure its settings. If this policy is enabled, the device will be connected to Wi-Fi access points that support Hotspot 2.0.
> Hotspot Domain Name
Assign an identifier to the Wi-Fi hotspot service displayed on a device.
> Operator Name
Assign the name of the network provider shown on the device.
> Roaming Consortium OI
Add a Roaming Consortium organization ID to connect to.
> Network Access ID
Add an ID to authenticate network access.
> Hotspot Operator Code
Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC).
Note
For SK Telecom (a South Korean wireless telecom operator) devices, enter 45005.
Hidden Network
Check the checkbox to hide the network from the list of available networks on the device. The SSID does not broadcast.
Auto Connect (iOS 5 and above)
Check the checkbox to use an automatic Wi-Fi connection.
Note
This setting is for iOS 5 or higher.
Protocol
Specifies the permitted protocol for the Wi-Fi network.
Note
This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
> Permitted EAP Type
Select more than one permitted protocol: TLS, LEAP, EAP-FAST, TTLS, PEAP, and EAP-SIM.
Note
If TTLS is checked, select an extra protocol from the Internal Authentication Protocol.
> EAP-FAST
Select PAC protocols to use from the following:
  • Use PAC: Determines whether to use PAC.
  • PAC Deployment: Check the Use PAC option to enable it.
  • Anonymous PAC Deployment: Check PAC Deployment to enable it.
> A dynamic trust decision by user
Allows using a dynamic trust decision by the user protocol.
> Allow direct connection (Proxy URL)
Allows using the direct connection protocol.
Authentication
Specifics the authentication of the Wi-Fi users. This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises
> One-time password for connection
Select to ask users to enter the password whenever Wi-Fi is connected.
  • If checked, the Auto Connect setting is automatically disabled.
  • If unchecked, the Auto Connect is automatically activated.
Note
This setting is for iOS 5 or higher.
> User information input method
Specifies the user information used and whether certificates are required. Select an input method as follows:
  • Manual Input: Enter the user ID and Password for the Wi-Fi connection.
  • Connector interworking: Choose a connector from the User information Connector.
You can also click Lookup to open the reference items list and select an item from it when entering an ID for the Manual Input. The reference value will be automatically entered.
> External ID
Assign an external ID for Manual Input.
Note
This setting is available when either TTLS, PEAP, or EAP-FAST is selected.
> User Certificate Type
Select the user certificate type.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.
Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Trust
Specifies the required certificates. This tab is enabled if the Security Type selected is Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
> Trusted certificate name
Add the name of the Trusted certificate.
> Root Certificate
Select a Root Certificate.
Proxy
Select a proxy server settings method.
Note
This setting is for iOS 5 or higher.
> Manual
Configure the proxy server manually.
  • Proxy IP Address and Port: Enter the IP address of the proxy server and the port number used by the proxy server.
  • User name: Enter the username for the proxy server.
  • Proxy Authenticated User Password: Enter the password for the proxy server.
> Auto
Configure the proxy server automatically.
  • Proxy Server URL: Enter the URL of the proxy server.

Exchange

You can add more Exchange policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each Exchange setting.
Description
Enter a description for each Exchange setting.
Office365
Allows to configure the Exchange settings.
Note
This policy will automatically fill out the Exchange server address and the SSL option as ‘Use’.
User information input method
Select an input method for entering user information.
> Manual Input
Select to manually enter the email address, account ID, and password of a user.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
> Connector interworking
Select to choose a connector from the User Information Connector list.
Note
All the connectors are listed in Advanced > System Integration > Directory Connector.
> User information
Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user’s device.
Domain
Enter a domain address for the Exchange server.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Host
Enter the host name of the email server.
SSL
Set to use SSL for email encryption.
Note
If Office 365 setting is used, the SSL option is automatically set to ‘Use’.
User certificate input method
Select an input method for entering certificate information.
> EMM Management Certificate
Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • User Certificate: Select a certificate to use from the User Certificate list.
> Connector interworking
Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • User certificate Connector: Select a connector to use from the User certificate Connector list.
> Issuing external CA
Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
  • Issuing external CA: Select an external CA to use from the Issuing external CA list.
Sync Interval
Select the interval period to sync the past emails.
Note
The sync interval and synchronization are in accordance with the email application settings.
Do not move message to other accounts
Select to use the policy.
Available only on mail app
Select to use the policy.
Do not sync the recently used email address
Select to use the policy.
Activate S/MIME
Check to activate and configure S/MIME functions for email security.
> S/MIME signing certificate input method
Select EMM Management Certificate or Connector interworking.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
> S/MIME Signing Certificate
Available only when EMM Management Certificate is selected.
Choose the signing certificate according to the S/MIME signing certificate input method.
> S/MIME signing certificate connector
Available only when Connector interworking is selected
Choose the signing certificate connector according to the S/MIME signing certificate input method.
> S/MIME encryption certificate input method
Select EMM Management Certificate or Connector interworking.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
> S/MIME Encryption Certificate
Available only when EMM Management Certificate is selected.
Choose the Encryption Certificate according to the S/MIME encryption certificate input method.
> S/MIME signing certificate connector
Available only when Connector interworking is selected
Choose the signing certificate connector according to the S/MIME signing certificate input method.
> S/MIME Enable Per Message Switch
Check the checkbox to enable S/MIME per message.

VPN

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for the VPN setting.
Description
Enter a description for the VPN setting.
Connection type
Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type.
  • L2TP: Set the Shared Security and Send All Traffic options.
  • PPTP: Set the Encryption Step and Send All Traffic options.
  • IPSec (Cisco): Enter the items depending on the selected device authentication type:
  • If Device Authentication is set to certificate, set Domain/Host Pattern, and Action for it. And then, select a User certification input method and set to Include User PIN when a device is authenticated.
  • If Device Authentication is set to Shared Security/Group Name, set Group Name and Shared Security options. And then, set to Use mixed authentication and Password Request when a device is connected with VPN.
  • Cisco AnyConnect: Set the Group Name option.
  • Juniper SSL: Set the Realm and Role options. If this is selected, Pulse secure VPN, a new VPN, is supported and previous Juniper Pulse versions will not be supported.
  • SonicWALL Mobile Connect: Set the Login Group or Domain options.
  • IKEv2: For IKEv2, see Configuring VPN IKEv2 connection.
Server address
Enter the IP address, host name, or URL of the VPN server that the device needs to access.
VPN Application Allocation
Select applications that will be allowed to connect to a VPN automatically.
Click Add and select applications. And then, click OK.
Safari Domain
Select URLs that will be allowed to connect to a VPN automatically on Safari.
Enter a domain address, and then click .
VPN type for each app
Select a VPN type for each application.
  • packet-tunnel: for app-layer tunneling
  • app-proxy: for packet-layer tunneling
User Connection Authentication Type
Select an authentication type for user connection between Password and RSA SecurID.
User information input method
Select an input method for entering user information.
  • Manual Input: Enter the user ID and Password for VPN connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Connector interworking: Choose a connector from the User information Connector. All the connectors registered in Advanced > System Integration > Directory are listed in the User information Connector.
  • User Information: Use the user information registered in Knox Manage to access VPN.
ID
Set an ID for the VPN settings.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Password
Set a password for the VPN settings.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
User certificate input method
Select an input method for entering certificate information.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate.
Note
All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • User certificate: Select a certificate to use from the User Certificate list.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • User Information Connector: Select a connector to use from the User certificate Connector list.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
  • Issuing External CA: Select an external CA to use from the Issuing external CA list.
Note
User certificate input method appears only when certificate is selected in the user connection authentication type or in the device authentication.
Proxy Settings
Select the setting for the proxy server.
  • Manual: Enter the proxy IP address and port number. Then, assign a user name and proxy authenticated user password.
  • Auto: Enter the proxy server URL address.

Configuring VPN IKEv2 connection

If the connection type is set to IKEv2, you can configure the setting as follows:
  1. Set the VPN auto connection settings.
  • VPN auto connection (Only devices allowed by director): Keeps VPN activated on the device.
  • Allow users to deactivate auto connection: Allows users to deactivate auto connection on the device.
  • Use the same tunnel for both cellular and Wi-Fi: Configure the VPN connection information to be used by both networks. To use different tunnels for configurations for cellular and Wi-Fi, click the Cellular and Wi-Fi tabs and enter the VPN connection information.
  • If a profile has more than two VPN settings with VPN auto connection checked, the profile will not be installed on the device.
  1. Enter the information below:
Item
Description
Server address
Enter the IP address, host name, or URL of the VPN server.
Local identifier
Enter the value to identify the IKEv2 client in the format below:
  • FQDN, UserFQDN, Address, and ASN1DN
Remote identifier
Enter the value in the format below:
  • FQDN, UserFQDN, Address, and ASN1DN
System authentication
Select a VPN authentication method:
  • Security sharing: Enter the security sharing password.
  • Certificate: Select a user certificate input method. Then enter the common name of the server certificate issuer and the common name of the server certificate.
EAP activation
Determines if EAP is activated. If activated, select
  • Certificate: Select a user certificate input method.
  • Password: Enter the user ID and Password.
Dead Peer Detection speed
Set the interval for checking the usability of the VPN equipment.
Note
Check whether the resource should change or the content should be modified.
Encryption algorithm
Choose the Encryption algorithm.
  • IKE SA: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES- 256 GCM
  • Sub SA: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM
Integrity algorithm
Choose the Integrity algorithm.
  • IKE SA: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
  • Sub SA: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
Diffie Hellman group
Select the group to be used for Diffie Hellman algorithm.
  • IKE SA: 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
  • Sub SA: 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
Time(min)
Enter the session expiration period.
  • IKE SA: Between 10 and 14440. The default value is 14440.
  • Sub SA: Between 10 and 14440. The default value is 14440.
Enable NAT keepalive while the device is in sleep mode
Enable NAT Keepalive and set the interval for Keepalive.
Note
This item is for iOS 9 or higher.
NAT keepalive interval
Set NAT KeepAlive intervals in seconds. The default value is 20 seconds.
Note
This item is for iOS 9 or higher.
Use IPv4/IPv6 internal subnet properties
Select to use the IPv4/IPv6 internal subnet attribute of IKEv2.
Note
This item is for iOS 9 or higher.
Disable portability and multi-homing
Select to deactivate portability and multi-homing (MOBIKE).
Note
This item is for iOS 9 or higher.
Disable redirect
Select to disable IKEv2 connection redirection.
Note
This item is for iOS 9 or higher.
Enable a perfect forward secrecy
Select to enable PFS (Perfect Forward Secrecy)
Note
This item is for iOS 9 or higher.
Voice mail box / AirPrint
Select the allowed traffic range when using Voicemails and AirPrint.
  • Allow traffic to goes through tunnel/Allow traffic outside tunnel/Drop traffic
Captive web sheet traffic outside of VPN tunnel
Allows captive web sheet traffic outside the VPN tunnel.
Captive Network App bundle identifier
Enter the Captive Network App bundle identifier to allow and click to disallow this item.

Certificate

You can add more certificate policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each certificate setting.
Description
Enter a description for each certificate setting.
Certificate category
Select a certification category.
  • CA Certificate: Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list.
  • User certificate: Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User will appear on the list.

SSO

SSO (Single Sign On) service offers one-click access to all of the applications without additional authentication. You can add more SSO policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each SSO setting.
Description
Enter a description for each SSO setting.
Account Name
Enter the name that appears on the device.
Principal Name
Enter the principal name.
Realm
Enter a domain name that is able to use SSO. You must enter the name in upper case letters.
URL Prefixes
Enter a URL to be accessed with SSO.
Click , enter a URL, and then click .
App Identifier
Enter the bundle ID of an application that you can use through SSO. If there is no application added on the list, SSO can be used for all applications.
Click , enter the bundle ID of an application, and then click .

Cellular

Configure the cellular network settings and control how the device accesses the cellular network. If an APN has already been set, the cellular configuration will not be applied. You can add more cellular policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each cellular setting.
Description
Enter a description for each cellular setting.
AttachAPN
Configure the settings for an Attach APN.
  • Name: Enter the name for the setting.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Authentication Method: Choose PAP or CHAP.
  • Username: Enter the user name for user authentication.
  • Password: Enter the password for user authentication.
APNs
Configure the setting for an APN.
  • Name: Enter the name for the setting.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Authentication Method: Choose PAP or CHAP.
  • Username: Enter the user name for user authentication.
  • Password: Enter the password for user authentication.
  • Proxy Server: Enter the IP address of a proxy server.
  • Proxy Server Port: Enter the port number of a proxy server.

AirPrint

You can add a printer to the AirPrint list on the device and configure devices and printers that exist on different networks conveniently. You can add more AirPrint policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each setting.
Description
Enter a description for each setting.
AirPrint Printer List
Add printers that support AirPrint.
Click , enter an IP address and a resource path, and then click .
For the resource path, you can enter what’s below:
  • printers/Canon_MG5300_series
  • printers/Xerox_Phaser_7600
  • ipp/print
  • Epson_IPP_Printer

Font

You can add more font policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each font setting.
Description
Enter a description for each font setting.
Font
Add a font to use on the device.
Click Add and add a font.

WebClip

You can add more WebClip policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each web clip setting.
Description
Enter a description for each web clip setting.
Label
Enter a web clip name to be displayed on the device home screen.
URL
Enter a web clip URL address.
Removable
Check the checkbox to allow users to delete the web clip account settings.
Icon
Click Add, and then click Browse to select an icon that will be displayed on the user’s device home screen. Then click OK to add.
  • The icon must be 59 x 60 px and in the PNG file format.
  • A white square image will be displayed if no icon is selected.

App Lock

You can add more App Lock policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each application lock setting.
Description
Enter a description for each application lock setting.
App Bundle ID
Enter the application bundle ID to identify applications.
Options
Check the box to configure the application lock options.
> Touch Screen
Allows device touchscreen mode.
> Screen Rotation
Enables using the landscape or portrait mode of the device screen.
> Volume Button
Enables adjusting the volume.
> Ringer Switch
Enables the easy on and off ringer mode through a ringer switch.
> Power Button
Allows turning the device on or off through the power button.
> Auto Lock
Enables automatically locking the device after a fixed amount of time through auto lock.
> VoiceOver
Turn on voice over for a screen-reading feature.
> Zoom In/Out
Turn on the zoom feature to configure easy zooming on the screen display.
> Invert Colors
Turn on color inversion to show colors on the device screen as their complementary colors.
> Assistive Touch
Allows virtual home button to perform multiple actions on the screen with a simple tab.
> Speak Selection
Turn on say optional item to select a text to be read aloud.
> Mono Audio
Turn on Mono Audio to play both audio channels in one ear using a headset.
User Enabled Options
Check the box to configure user enabled options.
> VoiceOver
Enables Voice over for the screen-reading feature.
> Zoom In/Out
Allows for configuring the easy zoom in and out feature on the display.
> Invert Colors
Allows color inversion to display colors on the device screen as their complementary colors.
> Assistive Touch
Allows virtual home button to perform multiple actions on the screen with a simple tab.

Global HTTP Proxy

You can add more global HTTP policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each global HTTP proxy setting.
Description
Enter a description for each global HTTP proxy setting.
Proxy Type
Select and enter the corresponding items depending on the proxy type.
> Manual
  • Proxy Server and Port: Enter the IP address of a proxy server and the port number of the proxy server.
  • Username: Enter the username for user authentication
  • Password: Enter the password for user authentication.
> Auto
  • Proxy PAC URL: Enter the URL of the PAC file that defines the proxy configuration.
  • Proxy PAC Fallback Allowed (iOS 7 or above): Check the checkbox to allow a direct connection from the user device if the PAC connection fails.
Proxy Captive Login Allowed (iOS 7 or above)
Check the checkbox to allow the device to bypass the proxy server to display the login page for captive networks.

AirPlay

These policies support devices with iOS 7 or above. You can add more AirPlay policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each AirPlay setting.
Description
Enter a description for each AirPlay setting.
Whitelist (Supervised)
Add an AirPlay device ID to the whitelist so that it is displayed on the user’s device.
Click , enter a device ID, and then click .
Passwords
Add an AirPlay device password.
Click , enter a device name and password, and then click .

Web Content Filter

You can add a specific URL to the whitelist or blacklist. These policies support devices with iOS 7 or higher in Supervised mode. You can add more web content filter policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each setting.
Description
Enter a description for each setting.
Auto Filter Enabled
Check the checkbox to use the auto filter function.
Blacklisted URLs
Add a URL to allow access to.
Click , enter a URL, and then click .
Permitted URLs
Add a URL to block access to.
Click , enter a URL, and then click .
Whitelisted Bookmarks
Add a bookmark to allow for access.
Click , enter a URL, title, and path, and then click .

Managed domains

Set managed domains and protect corporate data. You can control what apps can open documents downloaded from corporate domains using Safari. These policies support the devices with iOS 8 or higher in Supervised mode. You can add more managed domains policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each setting.
Description
Enter a description for each setting.
Email domains
Add a domain to specify as a corporate domain for emails.
Click , enter a URL, and then click .
Web domains
Add a domain to specify a corporate domain for the web.
Click , enter a URL, and then click .

Network Usage Rules

Configure network usage rules to allow data roaming and cellular data for applications. You can add more network usage rules policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each setting.
Description
Enter a description for each setting.
Managed app Network Settings
Add an application and allow cellular data and data roaming.
Click , add an application, set the data settings, and then click .

Configuring Windows Policies

Create a profile and register policies for Windows devices.
You can configure the policies below for Windows devices. The availability of each policy varies depending on the OS version.
  • Allows the use of features such as factory reset, camera, screen capture and VPN.
  • Controls the network settings, such as Bluetooth, Wi-Fi tethering, and NFC.
  • Configures the password settings.
  • Allows using the Windows App Store and configuring options for application controls, such as installation and blacklist/whitelist.
  • Allows overseas data roaming.
  • Allows deleting PPKG (Provisioning Package) files or MDM profiles while using them.
  • Configures the Wi-Fi settings, such as SSID, security type, and proxy.
  • Configures the settings of a Microsoft Exchange ActiveSync account to synchronize data with it.
  • Configures VPNs (Virtual Private Network) on Windows devices.
  • Configures the Knox Manage Agent Root, user certificates, and server certificates for use on the device.

System

Policy
Description
Supported devices
Factory reset
Allows a device factory reset.
Windows 10 (Mobile / Desktop) or higher
Camera
Allows using the camera.
Windows 10 (Mobile / Desktop) or higher
Screen Capture
Allows using the screen capture function.
Windows 10 (Mobile) or higher
VPN
Allows modifying the VPN settings.
Windows 10 (Mobile) or higher

Interface

Policy
Description
Supported devices
Wi-Fi
Allows the use of Wi-Fi.
Windows 10 (Mobile / Desktop) or higher
> Wi-Fi Tethering
Allows tethering the Wi-Fi connection.
Windows 10 (Mobile / Desktop) or higher
Bluetooth
Allows the use of Bluetooth.
Windows 10 (Mobile / Desktop) or higher
> Search Mode
Allows using device search via Bluetooth.
Windows 10 (Mobile / Desktop) or higher
NFC
Allows the use of NFC (Near Field Communication).
Windows 10 (Mobile) or higher
USB
Allows USB tethering connections.
Windows 10 (Mobile) or higher

Security

Policy
Description
Supported devices
Password policies
Set to apply the password policy when the screen is locked. The camera is disabled in screen lock mode.
Note
If you have enabled Samsung Knox Manage for a device with no password, certificates registered in the device will be deleted.
Windows 10 (Mobile) or higher
> Maximum Failed Login Attempts
Set the maximum number of incorrect password attempts.
The value can be between 3 - 998 times.
Note
If you enter the wrong password more than the allowed number of times, a challenge phrase appears, and then the system begins the factory reset operation. A challenge phrase is a particular phrase that is presented to you to disable the autofill feature and protect your information. You need to enter the case sensitive challenge phrase exactly.
Windows 10 (Mobile) or higher
> Minimum length
Set the minimum length of the password.
The value can be between 4 - 16 words.
Windows 10 (Mobile) or higher
> Maximum Screen lock grace period (Minutes)
Set an idle time before the screen lock is enabled.
The value can be between 0 – 999 minutes.
Windows 10 (Mobile) or higher
> Expiration after (days)
Set the maximum number of days before the password must be reset.
The value can be between 0 - 730 days.
Note
Set the number to 0 for an indefinite period.
Windows 10 (Mobile) or higher
> Retain history for
Set the number of times that you can reuse the password that you previously used, including the current password.
The value can be between 2 - 50 times.
Windows 10 (Mobile) or higher

Application

Policy
Description
Supported devices
Windows App store access control
Allows access to the Windows App Store.
Windows 10 (Mobile) or higher
Add App Install Black/Whitelist
Set the Windows application policies based on the blacklist or the whitelist.
Windows 10 (Mobile/Desktop) or higher
> Add Preloaded App Automatically
Set to automatically add preloaded applications.
Windows 10 (Mobile/Desktop) or higher
> App Install/Run Whitelist
Add applications to allow their installation. Any applications not on the whitelist are deleted, even if previously installed.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
Knox Manage Agent is automatically registered on the list.
Windows 10 (Mobile/Desktop) or higher
> App Install/Run Blacklist
Add applications to prohibit their installation. Blacklisted applications will be deleted even if they were previously installed.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
An application that has been added on the App Install/Run Whitelist cannot be added.
Windows 10 (Mobile/Desktop) or higher

Phone

Policy
Description
Supported devices
Data connection during roaming
Allows overseas data roaming
Windows 10 (Mobile/Desktop) or higher

Etc

Policy
Description
Supported devices
Delete PPKG
Allows users to delete provisioning package (PPKG) files while using them.
Windows 10 (Mobile/Desktop) or higher
MDM Client Unenrollment
Allows users to delete MDM profiles while using them.
Windows 10 (Mobile/Desktop) or higher

Wi-Fi

You can add more Wi-Fi policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each Wi-Fi setting.
Description
Enter a description for each Wi-Fi setting.
Network Name (SSID)
Enter the identifier of a wireless router to connect to.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Security type
Specifies the access protocol used.
> Open
Allows a Wi-Fi connection without a password.
> WEP
Set a password in the Password field.
> WPA2 Personal
Set a password in the Password field.
> EAP
Enter an EAP XML configuration code.
Note
The EAP XML tab is enabled only when EAP is selected for the Security type.
Auto connection
Check to use an automatic Wi-Fi connection.
Hide Network
Check the checkbox to hide the network from the list of available networks on the device. The SSID does not broadcast.
Proxy Server and Port
Enter the IP address of a proxy server and the port number of the proxy server.

Exchange

You can add more Exchange policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each Exchange setting.
Description
Enter a description for each Exchange setting.
User information input method
Select an input method for entering user information.
> Manual Input
Select to manually enter the email address, account ID, and password of a user.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
> Connector interworking
Select to choose a connector from the User Information Connector list.
Note
All the connectors are listed in Advanced > System Integration > Directory Connector. The email account that is registered is the one registered in the connected directory’s information.
> User Information
Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user’s device.
Domain
Enter a domain address for the Exchange server.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Server Name
Assign an Exchange server name.
Diagnostic Logging
Select a configuration level for diagnostic logging.
  • Logging off: Does not leave a record in the Event Viewer log.
  • Basic logging: Configure the default diagnostic log information.
  • Advanced logging: Configure the diagnostic log information for the security-related events.
Sync Schedule
Select the interval period to sync the incoming emails.
Sync measure for the early data
Select the interval period to sync the past emails.
Sync calendar
Syncs schedules on a calendar from a server to a device.
Sync contacts
Syncs contact information in a phone book from an Exchange to a device.
Sync Email
Syncs emails from an Exchange to a device.
Sync task
Syncs tasks from an Exchange to a device.
SSL
Set to use SSL for email encryption.

VPN

You can add more VPN policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for the VPN setting.
Description
Enter a description for the VPN setting.
VPN vendor name
Select a VPN vendor from among Pulse Secure VPN, F5, SonicWall Mobile Connect, and Check Point Mobile.
Server address
Enter the IP address, host name, or URL of the VPN server that the device needs to access.
Customer Configuration
Enter the VPN vendor-specific settings in the XML format and click Save.
Remember Credentials
Check to use remember credentials.
Always On
Check to use always on mode.
Lock Down
Check to use lock down mode.
DNS Suffix
Enter a DNS Suffix.
Trusted Network
Enter the IP address, host name, or URL.
Proxy Settings
Select the setting for the proxy server.
  • Manual: Enter the IP address of the proxy server.
  • Auto: Enter the Auto Config URL.

Certificate

You can add more certificate policy sets by clicking .
Policy
Description
Configuration ID
Assign a unique ID for each certificate setting.
Description
Enter a description for each certificate setting.
Certificate category
Select a certification category.
  • Root: Select a certificate to use. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and Type set as Root will appear on the list.
  • User: Select a certificate to use. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Type set as User will appear on the list.
  • Server: Select a certificate to use. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Type set as Server will appear on the list.

Applying configurations automatically (Android only)

If you configured device settings for a profile, then the settings can be applied automatically on the device without user action. If two or more values have been configured for the same category on a device, then the user must select a category and apply the settings manually, except for Wi-Fi settings. However, the bookmark settings cannot be applied automatically if the Installation area field is set to Shortcut.
Refer to the following table for an example:
Category
Value
Application type
Wi-Fi
A
Auto application
B
VPN
C
Exchange
D
Manual application
F
Device settings can be applied automatically once Knox Manage is activated and the policies are applied. After the application is complete, you can see the results in a notification message.

Preparations

To apply configurations automatically, do the following:
  • When using certificates and VPN settings in the Wi-Fi 802.1xEAP framework, install Credential Storage (CS) so that trusted certificates can be stored in advance. CS installation means locking the screen using an option more secure than a password.
  • For the Knox VPN setting, install the Vendor Client in advance.
  • For the Email and Exchange settings, install the Samsung Email application and agree to receive notifications from the Email application (Galaxy S8 or higher).
  • For the Knox workspace, install the VPN Vendor Client in the general area.

Restrictions

In the following cases, manual intervention is still required even configurations are applied automatically.
  • A Wi-Fi connection needs to be established in the device settings since devices cannot connect to a Wi-Fi AP automatically.
  • To connect a tunnel after installing a VPN or Knox VPN, it must be enabled manually.
  • If the user deletes the auto-applied configuration, the deleted configuration is automatically reapplied when the device is manually rebooted or restarted.

Categories of auto application

Configurations applied automatically can be categorized into Cases A, B, and C:
Category
Description
Application order
Case A
Settings that can be applied and updated immediately after Knox Manage is activated and policies are applied.
  • Application and updates can be performed automatically in the Knox Workspace area once it is created and policies are applied.
  • The Email and Exchange settings require installation of the Samsung Email application.
  • For Wi-Fi 802.1xEAP, select PEAP in the EAP Methods, which is an authentication protocol, to prevent the usage of certificates. The user does not need to select a screen lock type and add it when auto-installing Wi-Fi settings, because this doesn’t require installation of Credential Storage (CS).
  • Auto application of the Bookmark settings is supported on devices running Android 6.0 (Marshmallow) or Android 7.0 (Nougat), and only when the Installation area field is set to Bookmark. However, the Bookmark settings cannot be applied automatically on Android Enterprise devices.
APN > Bookmark > Wi-Fi > Exchange > Email
Case B
Settings that can be applied or updated once a screen lock password is set and additional applications or certifications are installed.
  • If no screen lock password has been set, configurations will not be applied automatically and a notification message for setting the screen lock password will appear instead. Tap Set password on the notification message to open the settings screen of the device.
Wi-Fi > VPN > Knox VPN
Case C
Settings that must be applied manually by the user from Knox Manage.
Note
If you set up Exchange with a certificate, it will be categorized as Case B because it requires certificate installation.
For more information, see the table below:
Settings category
Android enrollment type
Knox Workspace
Type
CS installation required
Additional application installation required
Automation category
Wi-Fi
Fully managed/Legacy
G
None
X
X
Case A
WEP
X
X
Case A
WPA/WPA2-PSK
X
X
Case A
802.1xEAP
X
X
Case A (When a certificate is not in use)
Legacy
O
X
Case B
Exchange ActiveSync
Legacy
G/K
N/A
X
O
Case A
Case B (When a certificate is in use)
Email
Legacy
G/K
N/A
X
O
Case A
Certificate
Legacy
G
N/A
O
X
Case B
APN
Fully managed/Legacy
G
N/A
X
X
Case A
Bookmark
Fully managed
G
N/A
X
X
Case C
Legacy
G/K
N/A
X
X
Case A
VPN
Legacy
G
PPTP
O
X
Case B
G
P2TP/IPSec PSK
O
X
Case B
G
P2TP/IPSec RSA
O
X
Case B
G
IPSec Xauth PSK
O
X
Case B
G
IPS ec Xauth RSA
O
X
Case B
G
IPSe c Hybrid RSA
O
X
Case B
Knox VPN
Legacy
G/K
Cisco
X
O
Case C
K
F5
X
O
Case B
K
Juniper
X
O
Case B
(When a certificate is not in use, auto application is not supported.)
SSO
Legacy
G/K
N/A
X
O
Case C
Profile