Back to top

Granular Device Management

Last updated February 20th, 2024

The Knox Platform’s granular device management features are specifically curated, from partner feedback and industry data, to solve some of the most common frustrations enterprises face when mass deploying devices. These unique policies provide device flexibility and customization beyond any other device provider. The policies help organizations manage operations more effectively, secure confidential assets, and reduce administrative overhead. They also solve particular issues regarding industry regulation and compliance.

Custom boot banner

Samsung Knox is the only mobile platform that allows an enterprise to natively change the device boot logo. In many industries, such as government or defense, this change is mandatory for compliance. Through the Knox Platform, enterprise IT admins and developers can customize the following:

  • Samsung boot up display
  • Splash screen animation, when the device is turned on or off
  • Lockscreen image, which can provide an enterprise logo or contact info for lost phones

Enterprises can use these capabilities to mitigate problems such as the following:

  • Phone is lost and found — Owner information is available by simply powering on the device. There is no need to attempt to unlock the device or call the carrier. The device can be returned to the enterprise quickly.
  • Multiple phones — Displaying an enterprise logo on bootup lets users know that the device belongs to and is secured by the enterprise. This logo clearly distinguishes it from other devices in the user’s possession.

Split billing (Dual APN)

Split billing separates enterprise and personal data usage.

  • In Bring Your Own Device (BYOD) deployments, enterprise billing allows employees to be properly compensated for data costs generated from work-related app usage.
  • In Corporately Owned, Personally Enabled (COPE) deployments, enterprise billing allows employers to pay for data usage incurred only for work purposes.

Split billing also works with dual SIM devices, by mapping some apps to using the data plan from one SIM, and other apps to the other SIM’s data plan.

Remote admin lock of device

This feature allows an IT admin to remotely lock out a device, for example, when the device is out of compliance. Once the device is locked, only an IT admin can unlock it and not a device user. This functionality solves two problems:

  • Prevents unauthorized users from accessing the device if it gets lost or stolen.
  • Prevents users with valid login credentials from using the device, for example, if the credentials are stolen or the user is no longer allowed to use the device.

With stock Android, an IT admin can lock a device only if it is currently unlocked. If the device is already locked, an admin can’t lock it to prevent future unauthorized logins.

Enterprise roaming

Roaming mobile connections can incur unexpected data costs. Multiplied across an enterprise’s mobile workforce, these costs can become exorbitant.

Rather than just simply disabling all mobile roaming, the Knox Platform provides more granular controls for enterprises, letting them control which mission-critical apps are allowed to use data during mobile roaming. Enterprises could enable roaming data for:

  • All apps in the Work container
  • A single app within the Work container
  • A single app in the personal space

They can also set up Split Billing, with separate roaming policies for the APNs set up for personal and enterprise billing.

Granular policies

Call restrictions

Enterprises can apply granular settings to the caller app, allowing only:

  • Emergency calling
  • Calling to certain numbers
  • A limited number of calls per day

SMS management

Knox provides many advanced SMS policies. Policies frequently used by organizations include:

  • Adding an automatic company disclaimer to the bottom of every outgoing text
  • Restricting the number of texts per day
  • Auditing and recording all incoming and outgoing SMS messages

SD card restrictions

Most vendors don’t provide sophisticated options to manage an SD card. Typically, enterprises must choose between one of two options: allow full read and write access to the SD card or completely block it.

The Knox Platform addresses this industry pain point by giving enterprises independent control over read and write access. Knox can:

  • Allow read access but block write access
  • Allow write access but block read access

This level of control means you can provide one-way data access to sensitive data to effectively meet your security requirements.

Bluetooth restrictions

To mitigate attacks perpetrated through Bluetooth connections, Knox provides these controls:

  • Completely disable Bluetooth — Turn off Bluetooth and Bluetooth background scanning.
  • Block specific Bluetooth profile types — Restrict the types of Bluetooth devices that the user can connect to the device, for example:
    • Allow Bluetooth headphones
    • Block Bluetooth file transfers, which could leak private data

USB class restrictions

Knox can restrict or allow different types of USB-connected devices, more specifically, the USB device classes defined through This feature includes access to the following USB device classes:

  • Audio, Video, Audio/Video
  • Mass Storage
  • Content Security
  • Smart Card
  • Printe
  • Hub, Type-C Bridge, Wireless Controlle
  • Human Interface Device (HID)
  • Communications, CDC Control, CDC Data
  • Personal Healthcare
  • Billboard
  • Diagnostic

For example, you could block all USB devices except Smart Card readers.

Keyboard Input Methods (IME)

The Keyboard Input Method (IME) framework has received a major security upgrade with Knox 3.2.1.

In Knox 3.2.1, the personal and Work container keyboards are completely separate to ensure that important work data is not compromised. In an Android Enterprise Work Profile, the same IME is used for both the personal and profile side. An shared IME may potentially leak sensitive data through an exploit buried in the IME.

For example, let’s say a device user downloads a malicious IME from Google Play for use on the personal side.

  • Android Enterprise — This IME is shared with the Work profile and sensitive data may leak.
  • Samsung Knox — The IME is isolated from the Work container and can’t access sensitive information.

In previous versions of Knox, IT admins were required to add 3rd party IMEs to an allowlist for added security. Now that personal and Work container IMEs are kept separate, users are able to use third party keyboards without prior explicit allowance from IT admins.

Is this page helpful?