Back to top
Home / Knox Authentication Manager / How-to guides /

Configure app policies

Last updated November 14th, 2024

Before deploying Knox Authentication Manager as a managed app to your devices, you’ll need to configure several app policies in your UEM or EMM. The following tables describe each policy and the options available.

  1. For Knox Manage admins, see Assign Managed Google Play apps for instructions on managing app configurations.
  2. For VMware Workspace ONE1, Microsoft Intune, and SOTI MobiControl admins, refer to their respective documentation for more details.

For all policy settings, the following special characters are NOT permitted:. # $ [ ] & ; < > "

Basic configuration information

Policy Required Description Options
Managed Configuration Yes The name of the app’s managed configuration file. This field is mandatory. Any text string consisting of alphanumeric characters.
Profile name No The user-facing name for the Knox Authentication Manager profile, as seen on the app’s Policy screen. Any text string consisting of alphanumeric characters. Special characers are permitted.
License Key Yes The license key included with a Knox Suite license. This field is mandatory. Any valid Knox Suite license key.
Auto delete unused profile after (months) Yes The number of months that a profile must remain unused before being automatically deleted from system. This field is mandatory. Any numerical value from 1 – 36.

Customize KAM home screen

Policy name Required Description Options
Title No A custom title that appears below the logo on the app’s sign in screen. Any text string consisting of alphanumeric characters. Max 30 characters.
Description No Custom description text that appears above the Username field on the app’s sign in screen. Any text string consisting of alphanumeric characters. Max 100 characters.
Admin PIN Yes The PIN number required in order to exit Knox Authentication Manager’s sign in screen. Any text string consisting of alphanumeric characters.

Manage login controls

Policy name Required Description Options
UEM being used Yes The name of your UEM or EMM
  • VMware Workspace ONE with launcher login screen
  • VMware Workspace ONE without launcher login screen
  • Microsoft Intune with Managed Home Screen
  • Microsoft Intune without Managed Home Screen
  • Samsung Knox Manage/SOTI MobiControl
Main login method Yes Determines how users sign in to Knox Authentication Manager.
  • PIN+Face — Users sign into the app by first entering a PIN number, then scanning their face. If you select this option, you must also select Yes in the following field to confirm that you agree to the biometric privacy notification.
  • PIN only — Users sign into the app using their PIN number only.
  • Manual — Users sign into the app using their identity provider credentials (for example, their Microsoft EntraID username and password)
I have read and understand the notice in the description (required for Face login) Yes — if you selected PIN + Face as a login method. This policy confirms that you've read and acknowledged the biometric privacy notice, and only appears after you select PIN+Face as the app's main login method.
  • No response — User will sign in using Manual authentication
  • Yes — You're using a login method that collects a user's biometric information and you've read and acknowledged the privacy notice.
Main Login PIN Length Yes Sets the required PIN length when PIN + Face or PIN only login method is used. An integer reporesenting the required PIN length.

Manage KAM behavior

The following policies are NOT applicable if you’re using VMware Workspace ONE with launcher login screen or Microsoft Intune with Managed Home Screen as your UEM or EMM.

Policy Required Description Options
Entra Tenant ID Yes Specifies the Knox Authentication Manager Directory (tenant) ID registered in Microsoft Entra ID. Refer to Microsoft’s documentation for detailed instructions on how to find your tenant ID. Enter the Entra Tenant ID
Entra Client ID Yes Specifies the Knox Authentication Manager Application (client) ID registered in Microsoft Entra ID. Refer to Microsoft’s documentation for detailed instructions on how to find your client ID. Enter the Entra Client ID
Auto logout on charge No Determines whether Knox Authentication Manager automatically signs out the current user when a device is charged (user can cancel). True or False
Auto logout on screen-off after (mins) No Specifies how many minutes a device screen must remain off before Knox Authentication Manager automatically signs out the current user. Enter a value in minutes.

0 = disabled
Use KAM authentication to unlock device No Forces users to sign into Knox Authentication Manager (PIN+Face or PIN only) in order to unlock their devices. True or False
Clean-up on logout No Allows the removal of app and account information when users sign out, to ensure that they don’t have access to the previous user’s signed-in apps and data. True or False
Clean-up excluded apps (package names) No Specifies the package names of apps — as a comma-delimited list — that are excluded from clean-up. Enter app package names separate by commas
Clean-up on login No Allows the removal of app and account information when users sign in, to ensure that they don’t have access to the previous user’s signed-in apps and data. True or False
Clean-up apps (package names) No Specifies the package names of apps — as a comma-delimited list — you want to clean up after users log in. You must set the Clean up on login policy to True in order for this policy to work. True or False
Reverification time (mins) No The time period after the screen is turned off before the user must reverify their identity on the device. Enter a value in minutes.

0 = disabled.

Manage sync controls

Policy name Required Description Options
Sync Org ID Yes Sets a single identifier for your company or organization, under which your device sync groups are organized. Enter an Org ID consisting of only letters and numbers. This should be the same for devices that you want to sync with one another.
Sync Devices By Yes Determines how device sync groups are defined.
  • Group ID — Devices sync when they're in the same admin-defined group.
  • WiFi Subnet — Devices sync when they're on the same Wi-Fi subnet.
Sync Group ID Yes

Sets a unique identifier for a group of devices across which user profiles will be synced. This setting only applies if your devices sync by group ID.

Group IDs often correspond to device groups you configured in your UEM or EMM.

 Enter an group ID consisting of only letters and numbers. This should be the same for devices that you want to sync with one another.
Sync Group Key Yes Sets a sync group key to encrypt and protect user profiles and device group communication.

Enter a 32-character key consisting of only letters and numbers. This should be the same for devices that you want to sync with one another.

One way to create the key is to run openssl rand -base64 24 in a terminal.
Sync Send UDP Port Yes Specifies a UDP port number on devices which is used to send device communications such as sync requests Enter a UDP port number. If left unset, the default is 49158.
Sync Receive UDP Port Yes Specifies a UDP port number on devices which is used to send device communications such as sync requests. Enter a UDP port number. If left unset, the default is 49159.
Sync TCP Port Yes Specifies a TLS communication port number on devices which is used to sync data between devices. Enter a TLS communication port. If left unset, the default is 7788.

Manage debug controls

Policy Required Description Options
Debug mode No Enable Debug mode settings on the Knox Authentication Manager app. True or False

  1. VMware Workspace ONE is also known as Omnissa Workspace ONE. ↩︎

On this page

Is this page helpful?