Home / Knox Authentication Manager / How-to guides /

Configure app policies

Last updated July 30th, 2025

Before deploying Knox Authentication Manager as a managed app to your devices, you’ll need to configure several app policies in your UEM or EMM. The following tables describe each policy and the options available.

Refer to the Policy column for each policy’s name and respective key. Policy keys are used when configuring Microsoft Intune app policies with a JSON file, and when viewing app policies on the device.

  1. For Knox Manage admins, see Assign Managed Google Play apps for instructions on managing app configurations.
  2. For Omnissa Workspace ONE1, Microsoft Intune, and SOTI MobiControl admins, refer to their respective documentation for information on how to configure app policies.

For all policy settings, the following special characters are not permitted:. # $ [ ] & ; < > "

Basic configuration information

Policy Required Description Options
Managed Configuration Yes The name of the app's managed configuration file. This field is mandatory. Any text string consisting of alphanumeric characters.

Profile name

doKAMProfileName 		No The user-facing name for the Knox Authentication Manager profile, as seen on the app's policy screen. Any text string consisting of alphanumeric characters. Special characters are permitted.

License Key

doKAMLicenseKey 		Yes The license key included with a Knox Suite license. This field is mandatory. Any valid Knox Suite license key.

Auto delete unused profile after (months)

doKAMAutoDeleteUnusedProfileAfter 		Yes

The number of days months that a profile must remain unused before being automatically deleted from system. This field is mandatory.

This policy setting applies only to Knox Authentication Manager v1.7 and higher. For devices running earlier versions, the default of 3 months is always applied. For more information, see updates to the Auto delete unused profile policy.

Any numerical value from 1 — 36. If left unset, the default is 3 months. One month is defined as 30 days.

To set in days, enter any numerical value from 1 — 1080 and append d to the number (for example, 14d).

Manually delete user profile

doKAMManualDeleteUserProfile 		No

Deletes a single user's credentials and profile data across all devices. This includes their username, password, PIN, face biometrics, and work app data.

This policy applies only to Knox Authentication Manager v1.8 and higher.

 Enter the user's Entra ID.

Customize KAM home screen

Policy Required Description Options

Title

doKAMHomeScreenTitle 		No A custom title that appears below the logo on the app's sign in screen. Any text string consisting of alphanumeric characters. Max 30 characters.

Description

doKAMHomeScreenDescription 		No Custom description text that appears above the Username field on the app's sign in screen. Any text string consisting of alphanumeric characters. Max 100 characters.

Show device serial number

doKAMShowDeviceSerialNumber 		Yes

Displays the device's serial number on the sign-in screen.

This policy applies only to Knox Authentication Manager v1.7 and higher.

 True or False (default)

Admin PIN

doKAMLightweightLauncherAdminPIN 		Yes The PIN number required in order to exit Knox Authentication Manager's sign in screen. Any string consisting of numbers.

Manage sign in controls

Policy Required Description Options

UEM being used

doKAMMainLoginApp 		Yes The name of your UEM or EMM
  • Omnissa Workspace ONE with launcher login screen (default)
  • Omnissa Workspace ONE without launcher login screen
  • Microsoft Intune with Managed Home Screen
  • Microsoft Intune without Managed Home Screen
  • Samsung Knox Manage/SOTI MobiControl

Main sign in method

doKAMMainLoginMethod 		Yes Determines how users sign in to Knox Authentication Manager.
  • PIN+Face (default) — Users sign into the app by first entering a PIN number, then scanning their face. If you select this option, you must also select Yes in the following field to confirm that you agree to the biometric privacy notification.
  • PIN only — Users sign into the app using their PIN number only.
  • Manual — Users sign into the app using their identity provider credentials (for example, their Microsoft Entra ID username and password).

I have read and understand the notice in the description (required for Face authentication)

doKAMBiometricNotice 		Yes — if you selected PIN+Face as the main sign in method. This policy confirms that you've read and acknowledged the biometric privacy notice, and only appears after you select PIN+Face as the app's main sign in method.

  • No response — If no response is selected, the Knox Authentication Manager app returns a configuration error.

    If you don't acknowledge the privacy notice, we recommend you set the Main sign in method to PIN only or Manual instead.

  • Yes — You're using a sign in method that collects a user's biometric information and you've read and acknowledged the privacy notice.

Main sign in PIN length

doKAMMainLoginPINLength 		Yes Sets the required PIN length when PIN+Face or PIN only sign in is used.
  • 4
  • 6
  • 8

Manage sync controls

If device syncing is disabled, only the Sync Group Key policy is required in the following group.

Policy Required Description Options

Enable syncing

code>doKAMSyncEnable 		Yes

Enables device-to-device data syncing. Disabling this policy is only recommended for dedicated devices.

If set to False, only the Sync Group Key policy is required in the Manage sync controls group.

When device syncing is disabled, no network traffic is sent to Google Firebase.

 True (default) or False

Sync Org ID

doKAMSyncOrgID 		Yes Sets a single identifier for your company or organization, under which your device sync groups are organized. Enter an Org ID consisting of only letters and numbers. This should be the same for devices that you want to sync with one another.

Sync Devices By

doKAMSyncDevicesBy 		Yes Determines how device sync groups are defined.
  • Group ID (default) — Devices sync when they're in the same admin-defined group.
  • Wi-Fi Subnet — Devices sync when they're on the same Wi-Fi subnet.

Sync Group ID

doKAMSyncGroupID 		Yes — if Sync Devices By is set to Group ID

Sets a unique identifier for a group of devices across which user profiles will be synced. This setting only applies if your devices sync by group ID.

Group IDs often correspond to device groups you configured in your UEM or EMM.

 Enter an group ID consisting of only letters and numbers. This should be the same for devices that you want to sync with one another.

Sync Group Key

doKAMSyncGroupKey 		Yes Sets a sync group key to encrypt and protect user profiles and device group communication.

Enter a 32-character key consisting of only letters and numbers. This should be the same for devices that you want to sync with one another.

You can generate this key using OpenSSL.

Sync Send UDP Port

doKAMSyncSendUDPPort 		Yes Specifies a UDP port number on devices which is used to send device communications such as sync requests. Enter a UDP port number. If left unset, the default is 49158.

Sync Receive UDP Port

doKAMSyncReceiveUDPPort 		Yes Specifies a UDP port number on devices which is used to send device communications such as sync requests. Enter a UDP port number. If left unset, the default is 49159.

Sync TCP Port

doKAMSyncTCPPort 		Yes Specifies a TLS communication port number on devices which is used to sync data between devices. Enter a TLS communication port. If left unset, the default is 7788.

Manage KAM behavior

The following policies are only applicable if you’re using one of the following UEM or EMM configurations:

  • Omnissa Workspace ONE without launcher login screen
  • Microsoft Intune without Managed Home Screen
  • Knox Manage/SOTI MobiControl
Policy Required Description Options

Entra Tenant ID

doKAMAzureADTenantID 		Yes Specifies the Knox Authentication Manager Directory (tenant) ID registered in Microsoft Entra ID. Refer to Microsoft's documentation for detailed instructions on how to find your tenant ID. Enter the Entra Tenant ID

Entra Client ID

doKAMAzureADClientID 		Yes Specifies the Knox Authentication Manager Application (client) ID registered in Microsoft Entra ID. Refer to Microsoft's documentation for detailed instructions on how to find your client ID. Enter the Entra Client ID

Auto sign out on charge

doKAMAutoLogoutOnCharge 		Yes Determines whether Knox Authentication Manager automatically signs out the current user when a device is charged (user can cancel). True or False (default)

Auto sign out period after screen-off (mins)

doKAMAutoLogoutOnScreenOffAfter 		Yes Specifies how many minutes a device screen must remain off before Knox Authentication Manager automatically signs out the current user.

Enter a value in minutes. If left unset, the default is 0.

0 = disabled.

Clean-up on sign out

doKAMCleanupOnLogout 		Yes Allows the removal of app and account information when users sign out, to ensure that they don't have access to the previous user's signed-in apps and data. True or False (default)

Clean-up excluded apps upon sign out (package names)

doKAMCleanupExcludedApps 		No Specifies the package names of apps — as a comma-delimited list — that are excluded from clean-up. Enter app package names separated by commas.

App notification on sign out

doKAMOnLogoutNotification 		Yes When signing out, Knox Authentication Manager will send a notification to any app specified by the Apps to receive notification on sign out (package names) policy. True or False (default)

Apps to receive notification on sign out (package names)

doKAMOnLogoutNotificationApps 		No Specifies the package names of apps — as a comma-delimited list — that receive a sign out notification. Enter app package names separated by commas.

Clean-up upon sign in

doKAMCleanupOnLogin 		Yes Allows the removal of app and account information when users sign in, to ensure that they don't have access to the previous user's signed-in apps and data. True or False (default)

Clean-up apps upon sign in (package names)

doKAMCleanupOnLoginApps 		No Specifies the package names of apps — as a comma-delimited list — you want to clean up after users sign in.You must set Clean-up upon sign in to True for this policy to work.

Enter app package names separated by commas. If left unset, the default packages included are:

  • com.microsoft.appmanager
  • com.microsoft.office
  • com.microsoft.office.excel
  • com.microsoft.office.officehubrow
  • com.microsoft.office.outlook
  • com.microsoft.office.powerpoint
  • com.microsoft.office.word
  • com.microsoft.sharepoint
  • com.microsoft.skydrive
  • com.microsoft.teams

Use KAM reverification to unlock device

doKAMAuthToUnlockDevice 		Yes

Determines if users can reverify their sign-in to locked devices using Knox Authentication Manager credentials.

If set to False, users won't be able to reverify their sign in using their Knox Authentication Manager credentials.

 True or False (default)

Reverification time (mins)

doKAMLightweightLauncherReverifyAfter 		Yes The time period after the screen is turned off before the user must reverify their identity on the device.

Enter a value in minutes. If left unset, the default is 0.

0 = disabled.

Reverification method

doKAMReverifyMethod 		Yes

Determines how users reverify their sign-in to a locked device.

You must set Use KAM reverification to unlock device to True for this policy to work.

If Reverification method conflicts with the Main sign in method, an error occurs and the authentication mode set by the Main sign in method policy is used by default. For more information, see ​Updates to the Reverification method policy.
  • default — Users will reverify using the authentication mode set by the Main sign in method policy
  • PIN only
  • Face only
  • Let user choose

Show username on reverification screen

doKAMShowUsernameOnReverifyScreen 		Yes Displays the name of the current user on the app's reverification screen. True or False (default)

  1. Omnissa Workspace ONE was previously known as VMware Workspace ONE. ↩︎

On this page

Is this page helpful?