Home / Knox Configure / How to guides / Profiles / Configure profile settings /

Restrictions

Last updated October 7th, 2025

These settings allow you to restrict device features to improve device security and reduce potential threats.

The following settings are available:

Security

Under SECURITY, choose to apply the following security restrictions:

  • ALL — All of the Security restrictions are applied.

    • Disable SD card access (Dynamic edition only) — Prevents the device from reading data from a SD card or writing data to a SD card.

    • Disable Software Updates (Firmware updates via Wi-Fi and Mobile networks) — Prevents firmware updates on devices, even if the device user tries to update it manually.

      Based on this setting, Knox Configure manages FOTA updates in the enrolled devices. When enabled, Knox Configure blocks FOTA updates; when disabled, users can choose to accept updates. This prevents OS mismatches and ensures partner apps remain functional. Additionally, for devices running Knox 3.4 or higher and the Samsung T295 device, this prevents firmware updates in download mode.

    • Disable factory reset (Dynamic edition only) — Prevents a user from factory resetting their device. When factory reset, Wi-Fi, and mobile data is disabled in Knox Configure. Consequently, the device is no longer able to update the profile they are enrolled in, and are unable to unenroll if need be. The device requires a network connection be re-established to receive updates and changes from Knox server resources.

    • Disable device power off for users (Dynamic edition only) — Prevents the user from turning the device off. The device will only turn off if you disable this setting or if the battery level is critically low.

    • Disable Multiple user mode — On supported devices, prevent more than one user account from being created.

    • Disable Safe mode — Safe mode prevents the device from running third-party apps. Select this option to prevent users from enabling Safe mode.

    • Disable firmware update in download mode — Prevents the device user from updating the firmware of the device while the device is in download mode. This feature is supported on devices running Knox 3.4 or higher.

    • Disable Maintenance mode — Hide the option to put the device in Maintenance mode, which hides personal data on the device if the device user needs to have it repaired. This feature is supported on devices running One UI 6.1 (Android 14) or higher.

  • Biometric authentication (Dynamic edition only) — choose to apply the following security restrictions:

    • ALL — Select All to disable fingerprint recognition, iris scanner and facial recognition device user authenticators.
    • Disable Fingerprint scanner — Disables a device’s ability to use its fingerprint scanner as a user authenticator option.
    • Disable Iris scanner — Disables a device’s ability to use its optical iris scanner as a user authenticator option.
    • Disable Face recognition — Disables a device’s ability to use its facial recognition capability as a user authenticator option.

If enabling or disabling biometric authentication, the device’s password quality will be automatically set and the device’s swipe option is no longer available.

  • Select LOCATION to enable or disable Wi-Fi and Bluetooth location detection.

  • Select OTHER SECURITY SETTINGS to enable or disable visible passwords.

Hide settings menu / element (Dynamic edition only)

Hide one or more of the following items from the device settings menu:

  • ALL
  • Backup and Reset
  • Bluetooth
  • Developer
  • Airplane mode
  • Language
  • Lock screen and security (Lock screen)
  • Wi-Fi
  • Always On Display in Quick Panel

USB device restrictions (Dynamic edition only)

Set the following device USB restrictions for profile data security over the USB interface:

  • Disable USB Media Transfer Protocol (MTP) — MTP is a protocol that enables media files to be transferred automatically to and from mobile devices.

  • Under Disable USB peripherals section, you can configure the below restrictions:

    • Disable USB host storage — Selecting this option disables USB host storage in its entirety. Individual USB classes cannot be disabled is this option is selected.

    • Disable the following USB classes — Select this option to disable specific USB classes (Audio, CDC data, Communications, Human interface device, Mass storage, Miscellaneous, Still image, Vendor specific, and Wireless Controller). Click Show Examples to review the USB data classes impacted with each checkbox option. If Disable USB host storage is selected, individual USB classes cannot be disabled.

Device connectivity (Dynamic edition only)

Under Roaming, configure the following settings:

  • ALL — Disables all of the settings listed under Roaming.
    • Prevent end users from using mobile data while roaming.
    • Prevent end users from syncing while roaming.
    • Prevent end users from receiving WAP push messages while roaming. — WAP messages direct users to web pages.
    • Prevent end users from making voice calls while roaming.

Under Tethering, configure the following data tethering settings to define how the profile shares Internet connection information with other mobile devices:

  • ALL — Disables all of the settings listed under Tethering.
    • Prevent end users from using Bluetooth tethering.
    • Prevent end users from using USB tethering.
    • Prevent end users from using Wi-Fi tethering.

Device functionality (Dynamic edition only)

  • ALL — Disable all of the settings listed under Device functionality.

    • Prevent end users from using the camera.

    • Prevent video recording if the camera is enabled.

    • Prevent end users from capturing the screen.

    • Prevent end users from using the microphone.

    • Prevent audio recording if the microphone is enabled.

    • Prevent end users from receiving SMS.

    • Prevent end users from sending SMS.

    • Prevent end users from receiving MMS.

    • Prevent end users from sending MMS.

    • Prevent end users from using the clipboard.

    • Prevent end users from accessing the Settings menu.

    • Prevent end users from using the second SIM card slot.

Under Disable hardware keys, configure the following settings:

  • ALL — Disables all hardware key functions.
  • Volume up — Turn off Volume up hardware key functionality, rendering the device incapable of increasing its volume.
  • Volume down — Turn off Volume down hardware key functionality, rendering the device incapable of decreasing its volume.
  • Home — Disables the device’s capability of returning to the home screen.
  • Power — Disables the device’s power key.

On this page

Is this page helpful?