Normal mode features
Normal mode allows the device to run as a phone or tablet as intended, but with specific settings applied by Knox Configure. Normal mode provides the most robust feature set available of all the Knox Configure profile options.
If configuring a normal mode profile for a DeX device, go to DeX profile support for additional information on adding applications, bookmarks and home page settings unique to the DeX device.
A Dynamic profile can push update another Dynamic edition profile, and a Setup edition profile can push update a Dynamic edition profile. However, a Setup edition profile cannot update another Setup edition profile, nor can a Dynamic edition profile push update a Setup edition profile.
For information on updating and replacing an existing device profile, go to: Updating an existing device profile.
Set the following general information to define the device type and Knox version utilized with the device profile:
Select one of the following Device level settings to ensure the profile is correctly supporting a Knox or non-Knox Samsung device:
- Secured by Knox devices — Select this option if the devices receiving this profile utilize Knox. Once selected, refer to the Knox version drop-down menu and select the version of Knox currently residing on the devices receiving this profile.
- Other Samsung devices — Select this option if deploying Samsung devices that do not utilize Knox. When this option is selected, the Knox version drop-down menu is no longer available. The remainder of the profile configuration screen flow closely resembles the screen flow of Knox enabled devices. The KDA enrollment of Other Samsung devices is not supported. ProKiosk devices do not support Other Samsung devices.
- Knox version — Select the device's Knox version number. Ensure this setting is accurate, as newer Knox versions have the latest feature set available. To find the version number on the device, go to Settings > About device > Software info. The Knox version is not required if Other Samsung devices is selected as the Device level setting.
Define a relevant profile name and description to assist with mapping devices to this specific Dynamic edition profile:
- Profile name — Enter a unique name, not already used by an existing profile in your organization.
- Profile description — Optionally provide an additional profile description to further differentiate a profile from others with similar attributes.
Set the following enrollment screen information displayed on the device during enrollment. Required settings have asterisks appended to them.
- Company name
- Address 1
- Address 2
- Zip Code
Support contact details
Provide a Phone number and Email for device users to reach out for support when encountering issues with their mobile device.
Configure the following settings displayed within the device enrollment screen flow. If you choose not to customize the screens, the default Knox Configure enrollment screens and logos are used.
Set the following Welcome screen settings:
- Skip welcome screen — Select this option to bypass a welcome screen within the device enrollment screen flow. If the welcome screen is skipped by selecting this option, it still displays on devices enrolled using the Knox Deployment App (KDA).
- Customize welcome screen text — Select this option to display a welcome message, up to a maximum of 400 characters. You can review the welcome message as it's being composed in the PREVIEW area on the right-hand side of the screen.
- Hide support link — Select this option to remove the support link from the enrollment welcome screen.
Set the following Agreements:
Configure the following enrollment screen flow Branding elements:
- Background fill — Use the drop-down menu to define the enrollment screen flow background color. Optionally select Upload image to select artwork for the background. The background image cannot exceed 2 MB.
- Logo — Select a logo for preferred branding within the enrollment screen flow. The logo image cannot exceed 1 MB, and should have a 1:1 aspect ration for optimal fit within the enrollment screen flow.
- Set the enrollment screen flow Foreground alignment to either Top, Center, or Bottom. Use the PREVIEW field as needed to assess how the enrollment screen content is aligned within each subsequent screen in the flow.
Enable or disable the following preferences to determine whether device end users can cancel enrollment and skip the setup wizard:
- Run the Setup Wizard and prevent end users from canceling enrollment — Select this option to prohibit the device end user from cancelling enrollment and ensure the setup wizard is invoked.
- Allow end users to cancel enrollment — Select this option to display a Cancel button on the lower left-hand side of the welcome screen and provide device users with an option to cancel the enrollment screen flow.
- Skip Setup Wizard and enable FRP Bypass — Select this option to bypass the setup wizard and prevent the device from being locked to a private Google account due to Factory Reset Protection (FRP).
Knox deployment application settings
Select a License to use with the Knox Deployment App (KDA). The license will be used to assign devices uploaded using the KDA and QR code enrollment.
The KDA provides a flexible option for IT admins needing to bulk enroll devices without a reseller. Using this app, you can reduce your bulk deployment time by using a primary device without factory resetting each device. Once they're enrolled, you can easily locate devices in the KC console.
QR code plus-sign (+) gesture enrollment is a additional device-side enrollment option. A QR code is a unique matrix barcode containing information about its attached item.
If a license is not selected here, this profile will not display as an option in the KDA or work with QR code-based enrollment. Only one license can be selected. If the current license is consumed or expired, an admin will need to assign another license.
If there are no available licenses in the License list, select the Enter License Key option to add a new license. On the Enter license key screen, provide a License name and License key, then click ADD. The newly-created license is then available in the License list.
Product information screen
Customize the product information screen in the Knox Configure client:
- Product Name — Enter the product name displayed in the product information screen. If left blank, the name of the profile is used by default.
- Image — Upload a custom image to display in the product information screen. If you don't add an image, the default generic image is shown. The image size can be PNG or JPG format and can't exceed 2 MB in size.
Optionally, configure an additional way for the device user to open the Knox Configure client:
Add a non-dismissible notification — Select this option to add a persistent notification that the device user can tap to quickly access the Knox Configure client.
- Application name — Enter the application name shown in the notification.
- Notification message — Enter the message shown in the notification.
Applications and widgets
Accessing the Library
Launch your KC console by clicking on the Knox Configure tile after signing into samsungknox.com. From the left-hand menu, choose Library.
From here, you can manage applications that can be used in your profiles. To add a new app, click ADD MOBILE APPLICATION.
There are two types of applications which can be added for mobile devices:
- Your own APK file
- A Google Play shortcut
When uploading your APK file, choose the proper file from your PC, and add a description (optional).
You can also select Activate Knox license. However, only a custom SDK/custom SDK (KLM) license can be used for application activation. You can request these keys from your license reseller. Once received, the key and application must be registered on the Knox Partner Portal before use. The application is downloaded on the device during configuration if a license is selected.
If you select ADD FROM GOOGLE PLAY instead, you need to provide a direct address to the Play store app and an optional description. You can add as many apps as needed.
When an uploaded app is selected, you can click ACTIONS to update, download, or delete it. Click the app to view a popup with basic information about the app and all the uploaded versions.
If you want to add an application for your wearable device, the process is similar. Move to the WEARABLE APPS section and select ADD WEARABLE APPLICATION.
Like with mobile apps, there are two types of applications which can be added for wearable devices:
- Your own TKP or WGT file
- A Galaxy Store shortcut
To upload your own app, browse for the proper TPK or WGT file on your PC and give it a name. Optionally, provide a description for the app. If it's a watch face app, include that information in the description.
If you select the ADD FROM GALAXY STORE option, you need to provide a Tizen package ID, such as org.tizen.message or org.tizen.call. Ensure you enter the package ID, not the application ID. Also, provide an app name, version, and optional description. If it's a watch face app, include that information in the description.
App management in KC profiles
After adding profile information, you can add apps and widgets to your profile. Click ADD APPLICATIONS TO PROFILE to continue.
You can choose from apps already uploaded to your library or add a new one. To add a new app, follow the instructions outlined in the previous Library section.
When your uploaded app has more than one version, you can choose which one to be added to your profile.
Home & lock screen
- Device type — Select Phone, Tablet, or Galaxy Z Fold. After you select a type, the display options change and show the available features of that type.
- Customize favorite applications — Adds a row of pinned icons at the bottom of the screen. Some tablet models might not support this feature. You can customize the apps on both the Internal screen and Cover screen on Samsung Galaxy Z Fold series devices.
- Clear all favorite applications from the Home screen — Removes all favorite apps from the device Home screen. You can remove favorite apps from both the Internal screen and Cover screen on Samsung Galaxy Z Fold series devices.
- Clear all shortcuts from the Home screen — Removes all current app icons and widgets from the home screen. You can remove all shortcuts from both the Internal screen and Cover screen on Samsung Galaxy Z Fold series devices.
- Theme — Uploads a theme APK file for a specific OS. The theme configured according to the Android version is installed. This feature is unavailable on devices that do not support theme functionality.
- Default Home screen wallpaper — Uploads an image to use as the Home screen wallpaper. Samsung Galaxy Z Fold series devices have separate wallpapers on their Internal screen and Cover screen.
- Default Lock screen wallpaper — Uploads an image to use as the lock screen wallpaper. Samsung Galaxy Z Fold series devices have separate wallpapers on their Internal screen and Cover screen.
- Prevent end users from changing the Home screen and Lock screen wallpapers — Prevents device users from changing both the Home and Lock screen wallpapers. Use this setting to keep the device's wallpaper consistent between screens, which helps bolster your enterprise’s branding.
- Device screen preview — Use the Select grid list to arrange phone app icons in a 4x4, 4x5 (Default), 4x6, or 5x6 grid, and tablet app icons in a 6x5, 6x6, 8x4, or 8x6 grid. If the device does not support the grid dimensions specified, this setting might cause the grid to be truncated.
A lock screen is also available to hide separate Time, Date, Owner information, Notifications, Help Text, Battery information and Shortcuts. Select one or all widgets as needed to visually inspect and hide widgets from the device display.
If you select Set automatic lock time, you can choose the idle time between the screen timeout, set in the Sound & display area, and the device lock time. The set lock time persists even after a firmware update.
Additional Home & lock screen settings (Knox 3.4 and above devices only)
Home screen notifications
Select Home screen, then select On or Off to toggle notification details when a device user selects and holds an app on the home screen of a device running Knox 3.4 or above. Once configured, use the Allow user to change setting option to either Allow Home screen device user changes, Do not allow user changes or Do not allow and hide setting from user.
Sound & display
Set the audio levels for system, media, ringtone and device speaker volume.
- Set audio level — Set the volume level of the specified stream (e.g. Media, Notifications, System, Ringtone).
- Device speaker — Set device's speaker to play all sounds. Even if the user connects their device using an audio jack, each sound is still played through the phone or tablet's speakers.
- Ringtone — Set the ringtone or notification tone to a specified audio file. This setting only changes the ringtone for SIM 1 on dual-SIM devices. Note that this option is not supported on devices running Knox 3.0 and higher.
Set the following profile display options as user device deployment requirements warrant:
- Set screen auto rotation to OFF — Enable or disable the auto-rotate feature of the device. You can also specify the rotational angle (for example, 0°, 90°, 180°, or 270°). Note that this option is not supported on devices running Knox 3.0 and higher.
- Remove swipe lock screen — Remove the swipe lock screen from the device. The device will wake with the launcher or previous screen when the power key is pressed, and remain unlocked even if the power key is pressed again or the screen turns off. Only available if Knox version in Profile information is set to Knox 3.4 and above.
- Remove lock screen — Remove the lock screen from the device. Pressing the power or home button will turn the screen on and unlock the device. All lock types except for swipe lock are removed. This feature is only supported on devices running Android 8 and lower.
- Hide system bar — Hide the status bar, navigation bar, or system bar depending on the Android system on the device.
- Set screen timeout (seconds) — Specify the inactivity period that must be exceeded to timeout the device screen.
- Screen always on when plugged in — Enable the screen to stay on when the device is connected to a power source.
- Set the brightness — Select and use the Brightness slider to set the default screen brightness. Select Set auto brightness to allow the device to automatically adjust the screen brightness based on the illumination of its surroundings.
- Set the blue light filter — Select On from the drop-down menu to control the intensity of the device blue light if too bright in the dark. Once selected, the Opacity option can also be selected to enable a slider to refine the Opacity (density) of the device blue light display. If set to Off, the Opacity option is unavailable, and the blue light setting cannot be modified. This feature may not work properly in some device which use a S/W blue light filter. It is recommended to test before deployment.
Set the default device font
Set the following default device font configuration options for the profile:
- Set the default device font
Set system font style — Set the system font to one of the following:
- Keep current settings
- Choco cooky
- Cool Jazz
- Gothic Bold
System font size — Use the preview area to test and select the font size.
- Larger font sizes — On supported devices. selecting this option allows you to increase the font size above 7pt. If your device is not supported, the largest font size will be utilized.
- Font size — Select a font size between 1-7pt. If you've selected the Larger font sizes option, additional font sizes may be available (on supported device models).
Custom booting and shutdown animation
You can customize the device boot animation by uploading images and setting the desired image orientation, dithering and size. Once created and uploaded, you can preview and verify the animation before assigning it to devices. When added to the console, the animation is a .qmg file for profile assignment.
Once verified, an admin can create a profile with relevant settings and add the animation file. The admin can then push the profile to specific assigned devices and verify the devices are configured properly with the animation file. For more information on creating and implementing custom animation, go to: Custom animation creation.
The custom display options available to phones and tablets include:
- Clear a custom booting and shutdown animation — Removes an existing device boot or shutdown animation from enrolled devices.
Set a custom booting animation — Provide Animation, Loop, and Sound files played when the device is powered on. The Loop file plays continuously until the device has completed the boot process.
- Animation file — the selected animation file plays right after the “Powered by Android” screen.
- Loop file — It plays repeatedly until device has completed boot process (after the animation file is finished).
- Sound file — Submit an .ogg file that's played alongside the .qmg file. This file should be below 48 kHz. If your animation is silent, submit a silent .ogg file.
- Set a custom shutdown animation — Provide Animation and Sound files played as the device shuts down.
- Animation file — The animation file plays when the device is powering off. Only .qmg files are permitted for phones and tablets.
- Sound file — Submit an .ogg file played alongside the .qmg file. This file should be below 48 kHz. If your animation is silent, submit a silent .ogg file.
Additional Sound & display settings (Knox 3.4 and above devices only)
Select General display to set the following device display options for devices running Knox 3.4 and above:
- Adaptive brightness determines whether brightness adjustments are collected and applied automatically under similar lighting conditions.
- Accidental touch protection can optionally protect from unintended touch inputs when the mobile device is placed in a dark place, such as a pocket or purse.
- Touch sensitivity can increase the touch sensitivity of the device in special cases, such as while wearing gloves in a hospital or industrial environment or when a thick screen protector is used. This feature is supported on devices running Knox 3.7.1 and higher.
- Screen zoom makes displayed items appear larger or smaller as their image size requires.
- Screen timeout sets a screen display inactivity timeout of 15 seconds, 30 seconds, 1 minute, 2 minutes, 5 minutes, or 10 minutes.
Select Navigation bar to display Button order options for devices running Knox 3.4 and higher.
From Button order, select one of the following navigation bar display options:
- Normal (Recents, Home, Back) — Keeps the navigation bar button order in its current default position.
- Reverse (Back, Home Recents) — Reverses the navigation bar button order from its default position so the back function displays on the left, with home in the center and recents on the right.
Once the Button order is set, refer to the Allow user to change setting option to either Allow device user navigation bar changes, Do not allow user navigation bar changes or Do not allow and hide setting from user.
Select Notifications to display notification app badge icon display options for devices running Knox 3.4 and higher.
Refer to the Application icon badges option and select either On or Off to define whether badges display when applications receive notifications.
Select Status bar to set the battery percentage display for devices running Knox 3.4 and higher. Selecting On displays remaining batter percentage on the status bar, while selecting Off disables the battery percentage display. The Show battery percentage setting has an Allow user to change setting option to Allow device user changes, Do not allow user changes, or Do not allow and hide setting from user.
General sounds and vibrations
Select General sounds and vibrations to display device sound and vibration options for devices running Knox 3.4 and higher. Options include:
- Vibrate while ringing determines whether the mobile device vibrates when receiving an incoming call.
- Set the Vibration pattern experienced on the mobile device upon receipt of an incoming call. Options include, Basic call, Heartbeat, Ticktock, Waltz, and Zig-zig-zig.
- Set the Use volume keys for media option to either On or Off to determine whether the media volume can be controlled by default when a volume key is pressed.
System sounds and vibrations
Select System sounds and vibrations to display device sound and vibration options for devices running Knox 3.4 and higher. Options include:
- Touch sound determines whether tones are emitted when touching certain screen items.
- Screen lock sound determines whether tones are emitted when locking or unlocking the screen.
- Charging sound determines whether tones are emitted when the device begins charging.
- Dialing keypad tone determines whether tones are emitted when tapping the dialing keypad.
- Keyboard sound determines whether tones are emitted when tapping the Samsung keyboard.
- Keyboard vibration determines whether the device vibrates when tapping the Samsung keyboard.
Applications & content
Set the following Dynamic edition profile application and content utilization restrictions:
Disable system applications
- Disable all pre-installed browsers — Disables the internet browsers on the device.
- Disable Google Play store — Prevents the device from accessing the Google Play store to install additional applications.
- Disable S Voice — Disables the S Voice personal assistant on the device. An error may occur if you enable and deploy this setting to a device that does not support S Voice.
- Disable the usage of other applications — Enter the package name(s) of the applications you want to disable.
Application installation restrictions
- Nothing — No application installation restrictions are applied to devices utilizing this profile.
- Installation blocklist — Select this option to upload a CSV file of device application package names that the device user is unable to install on their device. An admin can also manually enter the package names to exclude as well. The list of package names is refreshed and updated whenever the policy is updated.
- Installation allowlist — Select this option to block all other apps except for the ones in this list. Applications not in this allowlist are not allowed to be installed even if the device user has access to the app store. The list of package names is refreshed and updated whenever the policy is updated.
- Block applications from unknown sources — Prevents a user from installing apps from sources other than the Google Play store.
Application update restrictions
- Nothing — No application update restrictions are applied to devices utilizing this profile.
- Update blocklist — Once an application is added to the update blocklist, it cannot be updated on the device beyond its current version. Upload the application package names through either a CSV file, or by entering them manually. The blocklist is updated whenever the policy is updated.
- Update allowlist — Once an application is added to the update allowlist, it can be updated to a newer version. Upload the application package names through either a CSV file, or by entering them manually. The blocklist is updated whenever the policy is updated.
Applications notification restrictions
- Nothing — Allow or deny application notification restrictions are not applied to system pop-up and status bar notifications.
- Notifications blocklist — List the application package names that you don't want the device to receive system notifications and pop-ups for.
- Notifications allowlist — List the application package names that you want to allow system notifications and pop-ups for.
Application URL restrictions
- Applications — List the package names of those applications intended for URL restrictions.
- URL blocklist — Provide a blocklist of URLs for the device. For example, you may wish to blocklist non-enterprise websites (social media sites).
- URL allowlist — Provide an allowlist of URLs for the device. Users can only access websites on the allowlist.
- Prevent applications from being uninstalled — Enter the package name(s) of applications end users are restricted from removing.
- Prevent applications from being stopped — Prevents applications from being stopped by the system, other applications or the device user. If this option is selected, apps that would normally be stopped under conditions like Battery Saver mode will continue to run and consume battery life.
Launch automatically after configuration — Select the content that automatically displays when the device completes enrollment.
Applications — Select the applications to launch automatically once the initial profile configuration is set.
- Launch immediately on every boot-up — Select this option to launch selected applications automatically each time the device is booted.
- Other content — Select additional content, such as a sound file, to add to your profile.
Select an application to play the file — If you selected Other content, you need to select an application that can play the selected file.
- Launch immediately on every boot-up — Select this option to launch the selected other content automatically each time the device is booted.
- Download application during configuration — Add an application with this setting to ensure the selected application is downloaded during configuration and not in the background.
- Add application permissions — If necessary, add application permissions that are granted when defined in the application manifest file.
- Change application icon — Enter the package name of an app added to the profile, and upload a custom image to use as the app's icon.
- Change application name — Enter the package name of an app added to the profile, and enter a custom name for that app.
Set the following profile browser settings for homepage selection and bookmark utilization:
- Set homepage — Enter the URL for the Samsung Browser home page.
- Add web bookmarks — Add the Title and URL of the web bookmarks for the Samsung Internet browser. If your users need to log in to an employee portal to access internal files, you may wish to add a web bookmark for that portal.
- Disable auto fill forms — Optionally enable auto-fill for the Samsung Internet browser to automatically enter commonly-entered information on a web page. This feature is only available for Dynamic edition profiles, and for devices running Knox 2.7.1 and higher.
If necessary, upload a VCF file with the specific contact information you want to include with this profile.
Set the following profile content destination and file save options:
- Set content folder name — Provide a unique folder name for the repository where content from this profile is pushed.
- Add files to the Contents folder — Upload specific content, such as video, music, or digital books to the device's Content folder.
- Additional content — Optionally select additional content to download during configuration. Any content you don't select will be downloaded in the background once configuration is complete.
- Disable WiFi — Select this option to disable Wi-Fi on the device. Once disabled, neither the user or third-party application can enable Wi-Fi.
- Default Wi-Fi settings — Set the current device Wi-Fi configuration as the default or leave the Wi-Fi On or Off.
- Prevent users from changing the Wi-Fi on/off settings — Prevent the user from turning Wi-Fi on or off and change settings once the device has received the Knox Configure profile.
- Network (optional) — Enter the SSID name and Password for the default Wi-Fi network.
Advanced Wi-Fi settings — Enter an SSID Name and select the Security setting for this network. If applicable, enter a Password. If necessary, a device can connect to a specified network with Proxy (optional) credentials delivered by Knox Configure using a proxy to communicate externally. Click Add another to set up multiple Wi-Fi profiles.
- MAC address type — Select whether you want to have a randomized MAC address or device MAC address for connectivity. Device MAC address makes devices ready to use when company WLAN uses MAC filtering. Default setting is randomized MAC. This feature is available on devices with Android-10 or higher.
- Disable Wi-Fi network blocking — Select this option to disable Wi-Fi network blocking for the defined SSID configuration. Samsung devices have Wi-Fi network blocking enabled by default, and disabling Wi-Fi network blocking may reduce AP connection and battery consumption issues for the specified SSID Wi-Fi configuration. This setting is available on Knox 3.5 and above supported devices, and XCover Pro devices running Knox version 3.4.1 and above.
- Disable Bluetooth — Select this setting to restrict the device user and third-party applications from invoking the device's Bluetooth feature.
- Default Bluetooth settings — Select Keep current settings to set the current device Bluetooth state as the default. Use On or Off to enforce a Bluetooth state and override current device Bluetooth settings.
- Disable Bluetooth discoverable mode — Select this option to disable the device's capability to search, connect and share data with other Bluetooth enabled devices.
- Disable Location — Select this option to completely disable location services through either Wi-Fi and mobile networks.
- Default location settings — This setting turns location tracking ON, OFF or keeps the current setting on the device as the default. Select Prevent user from changing location settings to prohibit the device use from changing the administrator defined location configuration once deployed to the device user.
- Disable Mock location — Selecting this option disables mock location applications within the developer options, and significantly reduces a user's ability to provide inaccurate device location information.
- Disable NFC — Select this option to disable all NFC settings on the device.
- Default NFC settings — Set the current NFC setting as the default, or turn NFC On or Off by default.
- Prevent users from changing NFC settings — Selecting this option restricts the device user from changing NFC settings locally on their device.
- Disable Airplane mode — Select this option to disable a device user's ability to disable Airplane mode on their device.
- Default Airplane mode settings — Either Keep current settings, or turn the airplane mode On or Off.
- Turn on mobile data — Turn mobile data ON, OFF, or keep the current setting on the device.
- Default Data when roaming — This setting permits admins to enable/disable device users from accessing and using carrier data when roaming. Turn default data roaming either On, Off, or Keep current settings (default setting). Selecting On and using mobile data when roaming could result in additional charges.
Set default USB connection type
Determine the connection type when the user connects the device to a computer via USB:
- Keep current settings
- MTP — Allows the user to copy files between the device and a computer.
- PTP — Picture Transfer Protocol, the computer treats the device as a camera. Allows photo editing programs and other software apps to access photos stored on the device.
- MIDI — Musical Instrument Digital Interface, a connection type used by electronic musical instruments and computers to communicate with each other.
- CHARGING — Allow the device to charge, but not transmit data.
Enable SIM lock
Enabling the SIM pin lock prevents the use of the device's corporate SIM card on any other device. Whenever the corporate device is powered on, it automatically unlocks the device's SIM card for this session. However, if the SIM card is removed and inserted into another device, it remains locked. An IT admin can set a PIN here to unlock the SIM card for use on a different device.
SIM 1 — Select Enable from the drop-down list and enter a PIN at least 4 characters long.
SIM 2 — This option is only applicable if you are deploying Knox Configure to dual-SIM supported devices. Select Enable from the drop-down list and enter a PIN that is at least 4 characters long. If necessary refer to the Restrictions section within the profile creation user interface to restrict users from swapping a 2nd device SIM.
Additional Device connectivity settings (Knox 3.4 and above devices only)
Select Advanced Wi-Fi to display additional NFC beaming options for devices running Knox 3.4 and higher. Options include:
- Switch to mobile data allows the device to use mobile data whenever the current Wi-Fi network is identified as slow or unstable.
- Allow individual apps to switch allows the device to switch apps to mobile data when a Wi-Fi connection cannot be established.
- Turn on Wi-Fi automatically allows the device to enable Wi-Fi in locations where Wi-Fi has been used frequently.
- Detect suspicious networks allows the device to receive notifications when suspicious activity is detected on the Wi-Fi network.
- Wi-Fi power save mode reduces battery consumption by analyzing Wi-Fi traffic patterns.
- Hotspot 2.0 allows the device to connect to Hotspot 2.0-supported access points without requiring a password.
The following are the device setting options available to phone and tablet devices. For information on device settings available to Knox 3.4 and above devices only, go to Additional Device settings (Knox 3.4 and above devices only). For information on remapping hardware keys to launch a specified application, go to: Remap hardware keys (XCover Pro and Tab Active series only).
Locale — Select the language and country for the device.NOTE — The language and country pair chosen in the KC profile must be a language and country combination that is supported by the device. If not, it could result in a configuration error. You can check which language and country combination is supported in the language menu of your device settings.
- Time zone — Keep current settings or select the appropriate timezone for devices.
- Automatic Time Update — Set the device to automatically update its time and date information from the network.
Keyboard — Select Customize keyboard options to enable the Predictive text options. Once enabled, the predictive text and keyboard settings options function independent from one another, so there are no constraints on using these options together.
- Predictive mode — Turn predictive mode On or Off as needed. Predictive mode attempts to complete a word on behalf of the user based on the initial characters entered when forming a word. This setting is only available on devices running Knox version 2.7.1 and above.
- Add keyboards — Add up to 5 third-party keyboard on devices managed by KC. The appropriate keyboard package must also be installed on the device.
Hide Settings menu/elements — Hide one or more of the following items from the device settings menu:
- Backup and Reset
- Airplane mode
- Lock screen and security (Lock screen)
- Always On Display in Quick Panel
- Disable USB debugging mode — When selected, developers cannot receive debugging information from their device or use ADB to push content or files to the device.
- Default USB debugging mode — Turn USB debugging mode On or Off by default or use the current setting as the default.
- Disable OMC mode — Prevent the device from being customized by a source other than Knox Configure (i.e. Open Market Customization).
- Power on the device when connected to a power source — Set devices to automatically power on when connected to a power source.
- Power off the device when disconnected from a power source — Select this option to automatically power off a device when disconnected from its power source. If a device is disconnected from a power source during startup, it will automatically shutdown even though its not connected to power. This feature only works when the device already powered and booted.
- Extend battery life by limiting the maximum charge when connected to a power source — Select this option to provide a maximum charge setting of 85% to avoid issues with keeping a tablet on its charger too long. When selected, a tablet device will stop charging once it reaches 85% of total available charge.
Remap hardware keys (Galaxy XCover Pro and Tab Active series only)
Use this section of the Device settings profile configuration screen to remap hardware keys to launch a specified application, using either a long or short press action. Customizable hot key remapping combinations are also supported. For instance, users can launch one app with a short press action and another app with a long press action. When needed, select an available template for hot key mapping based on the intended key mapping configuration.
To remap hardware keys:
- Under Remap hardware keys (XCover Pro and Tab Active series only), click ADD CONFIGURATION.
From Key mapping template, select Microsoft Teams to use a preconfigured template or Custom to create a custom key mapping configuration. The Microsoft Teams template provides a single-click option to enable walkie-talkie functionality with Microsoft Teams for XCover Pro and Tab Active series devices.
Set the following custom key mapping configuration:
- Key name — Specify whether the device's XCover key or Top key will launch the specified application using either a short or long button press.
- Key press type — Select whether a Short press or Long press hardware key press launches the selected application.
- Action type — Select either Launch application or Launch and exit as the action resulting from the specified short or long Key press type.
- Application package name — Correctly provide the package name launched by the selected XCover Pro or Tab Active series key and the selected key press type and action.
- Click DONE to save your key mapping configuration. You can repeat the process to define additional key mapping configurations.
- When completed, review the configurations customized for specific key mapping templates, keys, key press types, actions, and applicable packages.
Side key remapping
You can remap the side key to custom functionality for Knox 3.7 and above. The options available for this custom remapping are as follows:
Double-press of the side key — You can choose to allow or restrict the device user from double-pressing the appropriate key. You can turn this setting on or off.
- Turn on or off
- Quick launch camera
- Open Bixby
- Open specific app
Press and hold of the side key
- Wake Bixby
- Power off menu
Allow user to customize — You can choose one of three settings:
- Allow the device user to customize the action
- Do not allow the device user to customize the action
- Do not allow the device user to customize the action as well as hide the setting from the user
How do I remap the side key on devices?
- In the KC console, navigate to Profiles, and select the profile you want to modify.
- Once the profile configuration dashboard appears, click on Device Settings.
- Click the Edit button on the top right-hand side.
- Scroll down, and select the Bixby Key option in order to expand settings options.
- From there, you can set configurations such as the double-press of the side key or press and hold of the side key.
Additional Device settings (Knox 3.4 and higher devices)
You can prevent device users from accessing certain areas of their Samsung Keyboard as follows:
- Disable keyboard setting — Prevents device users from accessing their Samsung Keyboard settings.
- Disable all toolbar items in keyboard — Prevents device users from accessing their Samsung Keyboard toolbar items.
Language and input
Select Language and input checkbox to display additional keyboard utilization settings for Knox 3.4 and above supported devices.
Show keyboard button toggles a keyboard button on the device navigation bar to allow for easier switching between mobile device keyboard resources. Once set, Allow user to change setting can Allow device user keyboard changes, Do not allow user changes, or Do not allow and hide setting from user.
Select Text-to-speech to display speech engine, pitch, and speech rate settings for devices running Knox 3.4 and higher.
- From the Preferred engine menu, specify whether the Samsung text-to-speech engine or Google Text-to-speech engine is utilized as the speech recognition engine for text-to-speech conversion.
- Use the Pitch slider to set the text-to-speech pitch rate in the range of 25-400.
- Use the Speech rate slider to define the text-to-speech rate conversion used by the speech recognition engine. The setting is defined in the range of 10-600.
To set biometric device restrictions (facial recognition, fingerprint scanner and iris scanner) on supported models running Knox version 2.9 or higher: go to: Security settings.
ALL — Disable all of the settings listed under Device functionality.
- Prevent end users from using the camera.
- Prevent video recording if the camera is enabled.
- Prevent end users from capturing the screen.
- Prevent end users from using the microphone.
- Prevent audio recording if the microphone is enabled.
- Prevent end users from receiving SMS.
- Prevent end users from sending SMS.
- Prevent end users from receiving MMS.
- Prevent end users from sending MMS.
- Prevent end users from using the clipboard.
- Prevent end users from accessing the Settings menu.
- Prevent end users from using 2nd SIM slot.
Disable hardware keys
Enable or disable the following device hardware key functions as needed for this particular profile and its deployment objectives:
- ALL — Disables all hardware key functions.
- Volume up — Turn off Volume up hardware key functionality, rendering the device incapable of increasing its volume.
- Volume down — Turn off Volume down hardware key functionality, rendering the device incapable of decreasing its volume.
- Home — Disables the device's capability of returning to the home screen.
- Power — Disables the device's power key.
The following security settings enable an IT admin to restrict specific access and storage capabilities to reduce vulnerabilities. For information on disabling biometric authenticators (fingerprint scanner, iris scanner, and facial recognition) on supported device models running Knox 2.9 or higher, go to: Security settings.
- ALL — Disables all of the settings listed under Security.
- Disable SD card access — Prevents the device from reading data from a SD card or writing data to a SD card.
- Disable Software Updates (Firmware updates via Wi-Fi and Mobile networks). — You can set a FOTA block for devices so that even if the device user tries to manually update the device's firmware, it is blocked on the device. Only after the new device is enrolled in Knox Configure, KC will decide to permit the appropriate FOTA update to the device or not based on FOTA block option. If you set the FOTA block as on, then KC will block FOTA updates. If not, KC won't block it and the end user can select whether to accept the FOTA update or not. This restriction negates the chances of an OS mismatch on the device and ensures that all partner apps remain functional. Additionally, for devices running Knox 3.4 or higher and the Samsung T295 device, you can prevent the device user from updating the firmware of the device in download mode.
- Disable factory reset — Prevents a user from factory resetting their device. When factory reset, Wi-Fi, and mobile data is disabled in Knox Configure. Consequently, the device is no longer able to update the profile they are enrolled in, and are unable to unenroll if need be. The device requires a network connection be re-established to receive updates and changes from Knox server resources.
- Disable device power off for users. — Prevents the user from turning the device off. The device will only turn off if you disable this setting or if the battery level is critically low.
- Disable Multiple user mode. — Prevents more than one user account from being created.
- Disable Safe mode. — Safe mode prevents the device from running third-party apps. Select this option to prevent users from enabling Safe mode.
- Disable firmware update in download mode. — Prevents the device user from updating the firmware of the device while the device is in download mode. This feature is supported on devices running Knox 3.4 or higher.
USB device restrictions
Set the following device USB restrictions for profile data security over the USB interface:
With Knox 2.9 and above supported devices using a dynamic edition profile, IT admins can additionally define which particular USB restriction classes to enable or disable for a profile.
- Disable USB Media Transfer Protocol (MTP) — MTP is a protocol that enables media files to be transferred automatically to and from mobile devices.
- Disable USB host storage — Selecting this option disables USB host storage in its entirety. Individual USB classes cannot be disabled is this option is selected.
- Disable the following USB classes — Select this option to disable specific USB classes (Audio, CDC data, Communications, Human interface device, Mass storage, Miscellaneous, Still image, Vendor specific, and Wireless Controller). Select Show Examples to review the USB data classes impacted with each checkbox option. If Disable USB hoist storage is selected, individual USB classes cannot be disabled.
Set the following roaming settings for this device profile and its data protection requirements:
- ALL — Disables all of the settings listed under Roaming.
- Prevent end users from using mobile data while roaming.
- Prevent end users from syncing while roaming.
- Prevent end users from receiving WAP push messages while roaming. — WAP messages direct users to web pages.
- Prevent end users from making voice calls while roaming.
Set the following data tethering settings to define how the profile shares Internet connection information with other mobile devices:
- ALL — Disables all of the settings listed under Tethering.
- Prevent end users from using Bluetooth tethering.
- Prevent end users from using USB tethering.
- Prevent end users from using Wi-Fi tethering.
Refer to the Security setting screen to disable some or all of the biometric authentication settings available to supported devices. To restrict end users from using other (non biometric) device functions, go to: Restrictions.
- ALL — Select All to disable fingerprint recognition, iris scanner and facial recognition device user authenticators.
- Disable Fingerprint scanner — Disables a device's ability to use its fingerprint scanner as a user authenticator option.
- Disable Iris scanner — Disables a device's ability to use its optical iris scanner as a user authenticator option.
- Disable Face recognition — Disables a device's ability to use its facial recognition capability as a user authenticator option.
- Disable password visibility when typing — Select this option to prohibit the display of the password characters when entering them on the mobile device.
Additional Security settings (Knox 3.4 and above devices only)
Select the Location checkbox to display additional Wi-Fi and Bluetooth scanning settings for Knox 3.4 and above supported devices. Once these options are set, refer to the Allow user to change setting option to either Allow device user password visibility changes, Do not allow user changes or Do not allow and hide setting from user.
- Wi-Fi scanning — Enable this setting to let applications use Wi-Fi for more efficient location detection, even when Wi-Fi is turned off.
- Bluetooth scanning — Enable this setting to let applications use Bluetooth for more efficient location detection, even when Bluetooth is turned off.
Other security settings
Select the Other security settings checkbox to display password visibility settings for Knox 3.4 and above supported devices. Select On to make password characters briefly visible as they are typed and hides them shortly thereafter. Selecting Off disables the feature. Once set, refer to the Allow user to change setting option to either Allow device user password visibility changes, Do not allow user changes or Do not allow and hide setting from user.
An Access Point Name (APN) is the gateway between a carrier providing 2G, 3G, or 4G mobile network service and the mobile device. Devices must be configured with the correct APN information to establish data connectivity. Only a single APN resource is available at one time, though an identical APN configuration with the same parameters can be defined.
If adding or editing an APN resource, provide the following configuration details:
Set as preferred APN — Select this option to make this APN the preferred Access Point resource supporting your device. This option is disabled by default.
- APN (Access Point Name)
- MCC (Mobile Country Code)
- MNC (Mobile Network Code)
- None — No user credential validation exchanges are attempted.
- PAP — The Password Authentication Protocol (PAP) uses a static username and password for authentication purposes.
- CHAP — The Challenge Authentication Protocol (CHAP) creates a unique "challenge phrase" for each authentication attempt instead of using a standard username or password.
- PAP or CHAP
- IPv4/IPv6 — Both IPv4 and IPv6 formatted IP addresses are supported for the APN resource.
- APN roaming Protocol — Select whether the device should use an IPv4, IPv6 formatted network or both as a roaming protocol.
- Mobile virtual network operator type — Use the drop-down menu to select the appropriate mobile virtual network operator type (MVNO) allowing an APN configuration to be restricted when using particular MVNOs or subscriber accounts. Without the MVNO setting, custom defined APN configurations are selected according to MCC and MNC only, which specifies the mobile network a mobile device subscribes to, but not the particular retailer or reseller, or account on a network. Drop-down MVNO menu options include None, SPN (Service Provider Name), IMSI (International Mobile Subscriber Identity), or GID (Group Identifier Level 1). When a value other than None is selected, a MVNO value is also required.
- Mobile virtual network operator value — Set the value that either matches service provides name (SPN), the unique subscriber account (IMSI) or global identifier level 1. The MVNO value is not required if the MVNO type is set to None.
- MMS Proxy
- MMS Port
The Shared Devices feature allows multiple users to have their own profile, apps, and files on a single device. Users can log in with Active Directory credentials. Users cannot access data and settings for other users' profiles. A shared device configuration is optional and not required for profile creation in Knox Configure. For more information, go to: About Knox Configure shared devices.
- Select Enable Shared Device to upload the shared device agent on to the device.
- Click Select, then upload a Background image to display for the Shared Device login screen.
- Samsung recommends the Samsung Kerberos SSO authenticator for validating shared devices. Select Enable Kerberos SSO to upload the Samsung Kerberos Authenticator for shared device validation. Optionally use the Upload XML configuration file setting to select and upload a XML formatted file. If you do not have a properly formatted configuration file, select Click here for sample XML file to display a sample file you can use for reference.
Set the following Enterprise branding information to set shared device organizational logos and company name branding:
- Click Select, then set a Company logo to display on the shared device(s). Ensure the file utilized adheres to the listed image requirements and recommended dimensions.
- Enter a Company name for shared device utilization does that not exceed the 20 character maximum.
Shared Device configuration for Knox 2.9 or above
Devices supporting Knox version 2.9 or above support additional shared device configuration options not supported in earlier Knox versions. To set a shared device configuration on devices running Knox version 2.9 or above:
- Enable the Shared Device option to upload the required shared device agent to the device. Shared Device must be enabled to set the remaining options.
- Enter the AD domain name of the corporate Active Directory provisioning shared device accounts. When powering on, shared device users receive a prompt to log in with the credentials for this Active Directory domain. A successful login is required to access shared device resources.
- Choose Select, and upload a Background image for the Shared Device login screen. The selected image overwrites the image set in the Home and Lock screen field.
Set the following Enterprise branding information to provide shared device organizational logos and company name:
- Choose the Select button and set a Company logo for shared device branding. Ensure the file utilized adheres to the listed image requirements and recommended dimensions.
- Enter a Company name (max. 20 characters) for shared device utilization does that not exceed the 20 character maximum.
- Set a Screen timeout (minutes) to define the maximum amount of time a shared device can remain idle before password credentials must be re-entered to resume access. The default setting is 120 minutes if left unspecified.
- Set a Maximum allowed screen lock attempts reached threshold to limit the number of failed lockscreen attempts permitted by shared devices. The default setting is 5 attempts if left unspecified.
- Select applications to prevent data clearing to add shared device application packages that are retained, and not cleared, once shared device mode is disabled. Select Add to include additional applications, or X to remove a selected package.
- Enable Kerberos SSO to upload Samsung's recommended Kerberos authenticator to the device.
Use Enterprise Billing to separate billing between enterprise apps and personal apps. The Knox Configure client will ignore E-billing configurations on devices running the Android Q version operating system and above. The Knox Configure console provides a warning for now unsupported status of E-billing on the Q version operating system.
Provide the following information:
- Profile name
- Applications in Personal mode — Enter the package names of apps used for business. Your enterprise is responsible for data costs incurred by these business apps.
- Roaming — Turn on to enable users to connect to data while roaming.
- APN1 — Add multiple APN resources if your device users have different service providers. The first applicable APN resource will be used by Enterprise Billing based on their service provider.
- If necessary, select CLEAR BILLING PROFILE & REVERT TO DEFAULT APN to use the default APN resource configuration.
For information on adding DeX mode support to a profile (either a Setup or Dynamic edition profile), go to: DeX mode support.
Devices supporting Knox version 3.4 and above have an additional set of advanced features configurable for a Setup edition profile. Each can be separately enabled.
Enable Motions and gestures to display the following additional Advanced features for the Knox 3.4 or above supported profile. Each of the following can be turned On or Off for the profile, and has a separate drop-down menu to either Allow, or Do not allow device user changes or Do not allow and hide setting from user.
- Smart stay — When enabled, the screen remains unlocked as long as the device camera can detect your eyes looking at the screen. When you put the phone down or look away, the device will turn off based on the screen's current timeout settings.
- Smart alert — When enabled, smart alert informs the device user of missed calls and text messages by vibrating the phone when its picked up.
- Easy mute — When enabled, easy mute allows you to mute incoming calls and alarms by placing your hand on the screen. On Galaxy S8, S8+, S7 and S7 edge platforms you cam also mute calls and alarms by placing the phone face down on a flat surface.
- Palm swipe to capture — When enabled, this feature allows you swipe your hand across the device screen to capture the current device display. Once captured, the image resides in the screenshots album/folder in the gallery.
- Swipe to call or send messages — When enabled, this feature allows you to call or send messages by swiping your finger across a contact's information in the phone or address book.
On the left, review the settings configured for each category. Optionally select the General information and Additional EULA tabs to review the information entered. If you want to make any changes, click Back. Once you have verified the settings are correct, click Submit. Select Back to top from the lower, right-hand, side of a screen to navigate back to the top of that respective screen. Select the DOWNLOAD PROFILE SUMMARY AS A PDF option to archive the profile summary settings in PDF for potential re-use in creating profiles for other accounts.