Configure app policies
Last updated January 14th, 2025
Before deploying Knox Authentication Manager as a managed app to your devices, you’ll need to configure several app policies in your UEM or EMM. The following tables describe each policy and the options available.
- For Knox Manage admins, see Assign Managed Google Play apps for instructions on managing app configurations.
- For VMware Workspace ONE1, Microsoft Intune, and SOTI MobiControl admins, refer to their respective documentation for more details.
For all policy settings, the following special characters are not permitted:. # $ [ ] & ; < > "
Basic configuration information
| Policy | Required | Description | Options |
|---|---|---|---|
| Managed Configuration | Yes | The name of the app’s managed configuration file. This field is mandatory. | Any text string consisting of alphanumeric characters. |
| Profile name | No | The user-facing name for the Knox Authentication Manager profile, as seen on the app’s Policy screen. | Any text string consisting of alphanumeric characters. Special characters are permitted. |
| License Key | Yes | The license key included with a Knox Suite license. This field is mandatory. | Any valid Knox Suite license key. |
| Auto delete unused profile after (months) | Yes | The number of months that a profile must remain unused before being automatically deleted from system. This field is mandatory. This policy setting applies only to Knox Authentication Manager v1.7 and higher. For devices running earlier versions, the default of 3 months is always applied. For more information, see updates to the Auto delete unused profile policy. |
Any numerical value from 1 — 36. If left unset, the default is 3 months. |
Customize KAM home screen
| Policy name | Required | Description | Options |
|---|---|---|---|
| Title | No | A custom title that appears below the logo on the app’s sign in screen. | Any text string consisting of alphanumeric characters. Max 30 characters. |
| Description | No | Custom description text that appears above the Username field on the app’s sign in screen. | Any text string consisting of alphanumeric characters. Max 100 characters. |
| Show device serial number | Yes | Displays the device’s serial number on the sign-in screen. This policy applies only to Knox Authentication Manager v1.7 and higher. |
True or False (default) |
| Admin PIN | Yes | The PIN number required in order to exit Knox Authentication Manager’s sign in screen. | Any string consisting of numbers. |
Manage sign in controls
| Policy name | Required | Description | Options |
|---|---|---|---|
| UEM being used | Yes | The name of your UEM or EMM |
|
| Main sign in method | Yes | Determines how users sign in to Knox Authentication Manager. |
|
| I have read and understand the notice in the description (required for Face authentication) | Yes — if you selected PIN+Face as a sign in method. | This policy confirms that you've read and acknowledged the biometric privacy notice, and only appears after you select PIN+Face as the app's main sign in method. |
|
| Main sign in PIN length | Yes | Sets the required PIN length when PIN+Face or PIN only sign in is used. |
|
Manage sync controls
| Policy name | Required | Description | Options |
|---|---|---|---|
| Enable syncing | Yes | Enables device-to-device data syncing. Disabling this policy is only recommended for dedicated devices. If set to False, only the Sync Group ID policy is required in the Manage sync controls group. When device syncing is disabled, no network traffic is sent to Google Firebase. |
True (default) or False |
| Sync Org ID | Yes | Sets a single identifier for your company or organization, under which your device sync groups are organized. | Enter an Org ID consisting of only letters and numbers. This should be the same for devices that you want to sync with one another. |
| Sync Devices By | Yes | Determines how device sync groups are defined. |
|
| Sync Group ID | Yes |
Sets a unique identifier for a group of devices across which user profiles will be synced. This setting only applies if your devices sync by group ID. Group IDs often correspond to device groups you configured in your UEM or EMM. |
Enter an group ID consisting of only letters and numbers. This should be the same for devices that you want to sync with one another. |
| Sync Group Key | Yes | Sets a sync group key to encrypt and protect user profiles and device group communication. |
Enter a 32-character key consisting of only letters and numbers. This should be the same for devices that you want to sync with one another. One way to create the key is to run |
| Sync Send UDP Port | Yes | Specifies a UDP port number on devices which is used to send device communications such as sync requests. | Enter a UDP port number. If left unset, the default is 49158. |
| Sync Receive UDP Port | Yes | Specifies a UDP port number on devices which is used to send device communications such as sync requests. | Enter a UDP port number. If left unset, the default is 49159. |
| Sync TCP Port | Yes | Specifies a TLS communication port number on devices which is used to sync data between devices. | Enter a TLS communication port. If left unset, the default is 7788. |
Manage KAM behavior
The following policies are only applicable if you’re using VMware Workspace ONE without launcher login screen, Microsoft Intune without Managed Home Screen, or Knox Manage/SOTI MobiControl as your UEM or EMM.
| Policy | Required | Description | Options |
|---|---|---|---|
| Entra Tenant ID | Yes | Specifies the Knox Authentication Manager Directory (tenant) ID registered in Microsoft Entra ID. Refer to Microsoft’s documentation for detailed instructions on how to find your tenant ID. | Enter the Entra Tenant ID |
| Entra Client ID | Yes | Specifies the Knox Authentication Manager Application (client) ID registered in Microsoft Entra ID. Refer to Microsoft’s documentation for detailed instructions on how to find your client ID. | Enter the Entra Client ID |
| Auto sign out on charge | Yes | Determines whether Knox Authentication Manager automatically signs out the current user when a device is charged (user can cancel). | True or False (default) |
| Auto sign out period after screen-off (mins) | No | Specifies how many minutes a device screen must remain off before Knox Authentication Manager automatically signs out the current user. | Enter a value in minutes. If left unset, the default is 0. 0 = disabled. |
| Use KAM authentication to unlock device | Yes | Forces users to sign into Knox Authentication Manager (PIN+Face or PIN only) in order to unlock their devices. | True or False (default) |
| Clean-up on sign out | Yes | Allows the removal of app and account information when users sign out, to ensure that they don’t have access to the previous user’s signed-in apps and data. | True or False (default) |
| Clean-up excluded apps upon sign out (package names) | No | Specifies the package names of apps — as a comma-delimited list — that are excluded from clean-up. | Enter app package names separated by commas. |
| Clean-up upon sign in | Yes | Allows the removal of app and account information when users sign in, to ensure that they don’t have access to the previous user’s signed-in apps and data. | True or False (default) |
| Clean-up apps upon sign in (package names) | No | Specifies the package names of apps — as a comma-delimited list — you want to clean up after users sign in. You must set Clean-up upon sign in to True for this policy to work. |
Enter app package names separated by commas. If left unset, the default packages included are:
|
| Reverification time (mins) | No | The time period after the screen is turned off before the user must reverify their identity on the device. | Enter a value in minutes. If left unset, the default is 0. 0 = disabled. |
-
VMware Workspace ONE is also known as Omnissa Workspace ONE. ↩︎
On this page
Is this page helpful?