If configuring a normal mode profile for a DeX device, go to DeX profile support for additional information on adding applications, bookmarks and home page settings unique to the DeX device.
A Dynamic profile can push update another Dynamic edition profile, and a Setup edition profile can push update a Dynamic edition profile. However, a Setup edition profile cannot update another Setup edition profile, nor can a Dynamic edition profile push update a Setup edition profile.
For information on updating and replacing an existing device profile, go to: Updating an existing device profile.
Set the following general information to define the device type and Knox version utilized with the device profile:
- Select one of the following Device level settings to ensure the profile is correctly supporting a Knox or non-Knox Samsung device:
- Secured by Knox devices - Select this option if the devices receiving this profile utilize Knox. Once selected, refer to the Knox version drop-down menu and select the version of Knox currently residing on the devices receiving this profile.
- Other Samsung devices - Select this option if deploying Samsung devices that do not utilize Knox. When this option is selected, the Knox version drop-down menu is no longer available. The remainder of the profile configuration screen flow closely resembles the screen flow of Knox enabled devices. The KDA enrollment of Other Samsung devices is not supported. ProKiosk devices do not support Other Samsung devices.
- Knox version - Use the drop-down menu to correctly select the version number. Ensure this setting is accurate, as newer Knox versions have the latest feature set available. To find the version number on the device, go to Settings > About device > Software info. The Knox version does is not required if Other Samsung devices is selected as the Device level setting.
Define a relevant profile name and description to assist with mapping devices to this specific Dynamic edition profile:
- Profile name - Enter a unique name, not already used by an existing profile in your organization.
- Profile description - Optionally provide an additional profile description to further differentiate a profile from others with similar attributes.
Set the following enrollment screen information displayed on the device during enrollment. Required settings have asterisk appended to them.
- Company name
- Address 1
- Address 2
- Zip Code
Support contact details
Provide the required Phone number and Email contract resources device users refer to for support when encountering issues with their mobile device.
Configure the following settings displayed within the device enrollment screen flow. If choosing not to customize the screens, the default Knox Configure enrollment screens and logos will be used by default.
- Set the following Welcome screen settings:
- Skip welcome screen - Select this option to bypass a welcome screen within the device enrollment screen flow. If the welcome screen is skipped by selecting this option, it still displays on devices enrolled using the Knox Deployment App (KDA).
- Customize welcome screen text - Select this option to display a field for entering a 400 character maximum welcome message. The welcome message can reviewed as its being composed within the PREVIEW area on the right-hand side of the screen.
- Hide support link - Select this option to remove the support link from the enrollment welcome screen.
- Set the following Agreements:
- Configure the following enrollment screen flow Branding elements:
- Background fill - Use the drop-down menu to define the enrollment screen flow background color. Optionally select Upload image to select artwork for the background. The background image cannot exceed 2 MB.
- Logo - Select a logo for preferred branding within the enrollment screen flow. The logo image cannot exceed 1 MB, and should have a 1:1 aspect ration for optimal fit within the enrollment screen flow.
- Set the enrollment screen flow Foreground alignment to either Top, Center, or Bottom. Use the PREVIEW field as needed to assess how the enrollment screen content is aligned within each subsequent screen in the flow.
Enable or disable the following preferences to determine whether device end users can cancel enrollment and skip the setup wizard:
- Skip Google, Samsung and Carrier setup screens - Select this option to prohibit the device end user from cancelling enrollment and ensure the setup wizard in invoked.
- Allow end users to cancel enrollment - Select this option to display a Cancel button on the lower let-hand side of the welcome screen and provide device users an option to cancel the enrollment screen flow.
- Skip Setup Wizard and enable FRP Bypass - Select this option to bypass the setup wizard and prevent the device from being locked to a private Google account due to Factory Reset Protection (FRP).
Knox deployment application settings
Use the drop-down menu to assign a License for use with the Knox Deployment App (KDA). The license will be used to assign devices uploaded using the KDA and QR code enrollment.
The KDA provides a flexible option to IT admins needing to bulk enroll devices without a reseller. Using this app allows IT Admins to reduce their bulk deployment time, by using a primary device without factory resetting each device. Once enrolled, an IT admin can easily locate the devices within KC console.
QR code plus-sign (+) gesture enrollment is a additional device-side enrollment option. A QR code is a unique matrix barcode containing information about its attached item.
If a license is not selected here, this profile will not display as an option in the KDA, or work with a QR code based enrollment. Only one license can be selected. If the current license is consumed or expired an admin will need to assign another license.
If there are no listed licenses available within License drop-down menu, select the Enter License Key option. From the displayed Enter license key screen, provide a License name and License key, then select the ADD button. The newly created license is then available for selection from within the drop-down menu.
Applications and widgets
The Select apps and Widgets screen displays those applications and widgets that have been uploaded to your Knox Configure account. When an app license expires, it remains within the Applications and Widgets screen, but an app displays a red badge when expired.
The screen displays separate cards for each uploaded application or app acquired from the Google Play Store.
- Display only selected applications and widgets - Select this option to filter and display only those applications and widgets that have their card selected.
- Source - Use the source drop-down menu to display only applications and widgets uploaded via an APK, from the Google Play Store or both.
- Search - Utilize the Search field as needed to locate specific applications by application name, package name, or description.
If a new application is needed, select the ADD APPLICATION button. Select UPLOAD APPLICATION or ADD FROM GOOGLE PLAY STORE and complete the required fields for adding the new application.
When additional application review is needed, each listed application and widget card can be selected to display information in greater detail.
Optionally add a 245 character maximum Description to help differentiate this application from others that may have similar attributes.
If device administrator applications are needed for utilization with Knox Configure, refer to the SELECT DEVICE ADMINISTRATOR APPLICATIONS button to select applications that uniquely perform device administration functions. Device users must accept a EULA for the device administrator application during configuration. Additionally, these applications are downloaded during configuration and may increase the time needed to complete configuration for the device.
Home & lock screen
- Default Home screen wallpaper — Upload a file to use as the home screen wallpaper.
- Default Lock screen wallpaper — Upload a file to use as the lock screen wallpaper.
- Prevent end users from changing the Home screen and Lock screen wallpapers - This option to prevents device users from changing both the Home and Device screen wallpapers. Utilize this option when keeping a device's wallpaper consistent is important for branding.
- Device — Select Phone or Tablet from the Device type drop-down menu, as display options are unique to the type selected. A DeX device's Home and Lock screens are also
- Customize favorite applications — Add a row of pinned icons at the bottom of all the screens. Some tablet models may not support this feature.
- Clear all favorite applications from the Home screen - Remove all current favorite applications from the device home screen.
- Clear all shortcuts from the Home screen — Remove all current app icons and widgets from the home screen.
- Device screen preview - Use the Select grid drop-down menu to display phone app icons in a 4x4, 4x5 (Default), 4x6, or 5x6 grid and tablet app icons in a 6x5, 6x6, 8x4, 8x6 grid. If the device does not support the grid dimensions specified, this setting may create an error.
A lock screen is also available to hide separate Time, Date, Owner information, Notifications, Help Text, Battery information and Shortcuts. Select one or all widgets as needed to visually inspect and hide widgets from the device display.
Refer to the Lock settings item and optionally select Set automatic lock time to enable a drop-down menu used to set the idle time between the screen timeout, set in the Sound & display area, and the device lock time. The set lock time will persist after a firmware update.
Additional Home & lock screen settings (Knox 3.4 and above devices only)
Home screen notifications
Select the Home screen check box and select On or Off to determine whether to display notification details when a Knox 3.4 or above device user touches and holds an app on the device home screen. Once selected, use the Allow user to change setting option to either Allow Home screen device user changes, Do not allow user changes or Do not allow and hide setting from user.
Applications & content
Set the following Dynamic edition profile application and content utilization restrictions:
- Disable system applications
- Disable all pre-installed browsers - Disables the device browsers on the device
- Disable Google Play store - Disables device from accessing the Google Play store to obtain additional applications.
- Disable S Voice - An error may occur if you enable and deploy this setting to a device that does not support S Voice.
- Disable the usage of other applications - Enter the package name(s) of those additional applications you want to disable.
- Application installation restrictions
- Nothing - No application installation restrictions are applied to devices utilizing this profile.
- Installation blocklist - Select this option to upload a CSV file of device application package names that the device user is unable to install on their device. An admin can also manually enter the package names to exclude as well. The list of package names is refreshed and updated whenever the policy is updated.
- Installation allowlist - Select this option to block all other apps except for the ones in this list. Applications not in this allowlist are not allowed to be installed even if the end user has access to the app store. The list of package names is refreshed and updated whenever the policy is updated.
- Block applications from unknown sources - Prevents a user from installing apps from sources other than the Google Play store.
- Application update restrictions
- Nothing - No application update restrictions are applied to devices utilizing this profile.
- Update blocklist - Once applications are added to the update blocklist, they cannot be updated on the device beyond its current version. Enter the application package names using either a CSV file, or by entering them manually. The blocklist is updated whenever the policy is updated.
- Update allowlist - Once applications are added to the update allowlist, they are permitted to be updated to a newer version. Enter the application package names using either a CSV file, or by entering them manually. The blocklist is updated whenever the policy is updated.
- Applications notification restrictions
- Nothing - No allow or deny application notification restrictions are applied to system pop-up and status bar notifications.
- Notifications blocklist - List the application package names whose notifications you wish to exclude for system notifications and pop-ups.
- Notifications allowlist - List the application package names whose notifications you wish to permit and allow for system notifications and pop-ups.
- Application URL restrictions
- Applications - List the package names of those applications intended for URL restrictions.
- URL blocklist - List the URLs of those domains whose application you wish to exclude from domain filtering.
- URL allowlist - List the URLs of those domains whose applications you wish to permit and allow for domain filtering.
- Prevent applications from being uninstalled - Enter the package name(s) of applications end users are restricted from removing.
- Prevent applications from being stopped - Prevents applications from being stopped by the system, other applications or the device user. If selecting this option, apps that would normally be stopped for reasons such as battery savings will still remain on and remain consumptive to the device battery.
- Launch automatically after configuration - Select the content that automatically displays when the device completes enrollment.
- Applications - Select the applications to launch automatically once the initial profile configuration is set.
- Launch immediately on every boot-up - Select this option to launch selected applications automatically each time the device is booted.
- Other content - Select additional content, such as a sound file, to add to your profile.
- Select an application to play the file - If you have selected Other content, you need to select an application that will play the selected file.
- Launch immediately on every boot-up - Select this option to launch the selected other content automatically each time the device is booted.
- Applications - Select the applications to launch automatically once the initial profile configuration is set.
- Download application during configuration - Add an application with this setting to ensure the selected application is downloaded during configuration and not in the background.
- Add application permissions - If necessary, add application permissions that are allowed when defined within the application manifest file.
- Change application icon - Enter the package name of an app added to the profile, and upload a custom image to use as the app's icon.
- Change application name - Enter the package name of an app added to the profile, and enter a custom name for that app.
Set the following profile browser settings for homepage selection and bookmark utilization:
- Set homepage - Enter the URL for the Samsung Browser home page.
- Add web bookmarks - Add the Title and URL of the web bookmarks for the SBrowser. If your users need to log in to an employee portal to access internal files, you may wish to add a web bookmark for that portal.
- Disable auto fill forms - Optionally enable auto-fill within the Samsung browser to automatically enter commonly entered information within a Web page. This feature is available on Dynamic edition profiles only, and on devices running Knox version 2.7.1 and above.
Set the following profile content destination and file save options:
- Set content folder name - Provide a unique folder name for the repository where content from this profile is pushed.
- Add files to the Contents folder - Upload specific content, such as video, music, or digital books to the device's Content folder.
- Additional content - Optionally check any of the displayed boxes to mark additional content to download during configuration, otherwise, it will be downloaded in the background once configuration is completed.
Sound & display
Set the audio levels for system, media, ringtone and device speaker volume.
- Set audio level - Set the volume level of the specified stream (e.g. Media, Notifications, System, Ringtone).
- Device speaker - Set device's speaker to play all sounds. Even if the user connects their device using an audio jack, each sound is still played through the phone or tablet's speakers.
- Ringtone - Set the ringtone or notification tone to a specified audio file. The ringtone option is not supported on devices running Knox 3.0 or later. Additionally, this setting only changes the SIM 1 ringtone on dual SIM devices
Set the following profile display options as user device deployment requirements warrant:
- Set screen auto rotation to OFF - Enable or disable the auto-rotate feature of the device. You could also specify the rotational angle (e.g. 0°, 90°, 180°, 270°).
- Remove lock screen - Remove the lock screen from the device. Pressing the power or home button will turn the screen on. Any previous user-configured lock screen settings such as secure pattern or device passcode unlock methods will also be removed.
- Hide system bar - Hide the status bar, navigation bar, or system bar depending on the Android system on the device.
- Set screen timeout (seconds) - Specify the inactivity period that must be exceeded to timeout the device screen.
- Screen always on when plugged in - Enable the screen to stay on when the device is connected to a power source.
- Set the brightness - Select and use the Brightness slider to set the default screen brightness. Select Set auto brightness to allow the device to automatically adjust the screen brightness based on the illumination of its surroundings.
- Set the blue light filter - Select On from the drop-down menu to control the intensity of the device blue light if too bright in the dark. Once selected, the Opacity option can also be selected to enable a slider to refine the Opacity (density) of the device blue light display. If set to Off, the Opacity option is unavailable, and the blue light setting cannot be modified. This feature may not work properly in some device which use a S/W blue light filter. It is recommended to test before deployment.
Set the default device font
Set the following default device font configuration options for the profile:
- Set the default device font
- Set system font style - Set the system font to one of the following:
- Keep current settings
- Choco cooky
- Cool Jazz
- Gothic Bold
- System font size — Use the preview area to test and select the font size.
- Larger font sizes — On supported devices. selecting this option allows you to increase the font size above 7pt. If your device is not supported, the largest font size will be utilized.
- Font size — Select a font size between 1-7pt. If you've selected the Larger font sizes option, additional font sizes may be available (on supported device models).
- Set system font style - Set the system font to one of the following:
Custom booting and shutdown animation
Administrators can customize boot animation by uploading images and setting the desired image orientation, dithering and size. Once created and uploaded, an admin can preview and verify the animation before assigning it to devices. When added into the console, the animation as a .qmg file for profile assignment.
Once verified, an admin can create a profile with relevant settings and add the animation file. The admin can then push the profile to specific assigned devices and verify the devices are configured properly with the animation file. For more information on creating and implementing custom animation, go to: Custom animation creation.
The custom display options available to phones and tablets include:
- Clear a custom booting and shutdown animation - Removes an existing device boot or shutdown animation from enrolled devices.
- Set a custom booting animation - Provide Animation, Loop, and Sound files played when the device is powered on. The Loop file plays continuously until the device has completed the boot process.
- Animation file - the selected animation file plays right after the “Powered by Android” screen.
- Loop file - It plays repeatedly until device has completed boot process (after the animation file is finished).
- Sound file - Submit an .ogg file that's played alongside the .qmg file. This file should be below 48 kHz. If your animation is silent, submit a silent .ogg file.
- Set a custom shutdown animation - Provide Animation and Sound files played as the device shuts down.
- Animation file - The animation file plays when the device is powering off. Only .qmg files are permitted for phones and tablets.
- Sound file - Submit an .ogg file played alongside the .qmg file. This file should be below 48 kHz. If your animation is silent, submit a silent .ogg file.
Additional Sound & display settings (Knox 3.4 and above devices only)
Select the General display checkbox to set the following device display options for Knox 3.4 and above supported devices:
NOTE - Each General display setting has an Allow user to change setting option to either Allow device user changes, Do not allow user changes or Do not allow and hide setting from user. These options can be set independently of each other and are persistent across subsequent logins.
- Refer to the Adaptive brightness setting On and Off options to determine whether brightness adjustments are collected and applied automatically under similar lighting conditions.
- Refer to the Accidental touch protection On and Off settings to optionally protect from unintended touch updates when the mobile device is placed in a dark place such as a pocket or purse.
- Refer to the Touch sensitivity On and Off settings to increase the touch sensitivity of the device in special cases such as while wearing gloves in a hospital or industrial environment or when a thick screen-protector is used. This feature is supported on devices with Knox 3.7.1 or higher.
- Use the Screen zoom slider to make displayed items appear larger or smaller as their image size requires.
- Use the Screen timeout drop-down menu to set a screen display inactivity timeout of either 15 seconds, 30 seconds, 1 minute, 2 minutes, 5 minutes or 10 minutes.
Select the Navigation bar checkbox to display Button order options for Knox 3.4 and above supported devices.
Use the Button order drop-down menu to define one of the following navigation bar display options:
- Normal (Recents, Home, Back) - Keeps the navigation bar button order in its current default position.
- Reverse (Back, Home Recents) - Reverses the navigation bar button order from its default position so the back function displays on the left, with home in the center and recents on the right.
Once the Button order is set, refer to the Allow user to change setting option to either Allow device user navigation bar changes, Do not allow user navigation bar changes or Do not allow and hide setting from user.
Select the Notifications checkbox to display notification app badge icon display options for Knox 3.4 and above supported devices.
Refer to the Application icon badges option and select either On or Off to define whether badges display when applications receive notifications.
Select the Status bar checkbox to set the battery percentage display for Knox 3.4 and above supported devices. Selecting On displays remaining batter percentage on the status bar, while selecting Off disables the battery percentage display. The Show battery percentage setting has an Allow user to change setting option to either Allow device user changes, Do not allow user changes or Do not allow and hide setting from user.
General sounds and vibrations
Select the General sounds and vibrations checkbox to display device sound and vibration options for Knox 3.4 and above supported devices. Options include:
- Refer to the Vibrate while ringing On and Off options to set whether the mobile device vibrates upon receipt of an incoming call.
- Set the Vibration pattern experienced on the mobile device upon receipt of an incoming call. Options include, Basic call, Heartbeat,Ticktock, Waltz, Zig-zig-zig, Off-beat, Spinning, Siren, Telephone, and Ripple.
- Set the Use volume keys for media option to either On or Off to determine whether the media volume can be controlled by default when a volume key is pressed.
System sounds and vibrations
Select the System sounds and vibrations checkbox to display device sound and vibration options for Knox 3.4 and above supported devices. Options include:
- Refer to the Touch sound setting's On and Off options to set whether tones are emitted when touching certain screen items.
- Use the Screen lock sound On and Off options to set whether tones are emitted when locking or unlocking the screen.
- Navigate to the Charging sound On and Off options to set whether tones are emitted when the mobile device begins charging.
- Refer to the Dialing keypad tone On and Off options to set whether tones are emitted when tapping the dialing keypad.
- Use the Keyboard sound On and Off options to set whether tones are emitted when tapping the Samsung keyboard.
- Navigate to the Keyboard vibration On and Off options to set whether the mobile device vibrates when tapping the Samsung keyboard.
- Refer to the Touch vibration On and Off options to set whether the mobile device vibrates when tapping navigation buttons or touching and holding items on the screen.
- Disable WiFi - Select this option to disable Wi-Fi on the device. Once disabled, neither the user or third-party application can enable Wi-Fi.
- Default Wi-Fi settings - Set the current device Wi-Fi configuration as the default or leave the Wi-Fi On or Off.
- Prevent users from changing the Wi-Fi on/off settings - Prevent the user from turning Wi-Fi on or off and change settings once the device has received the Knox Configure profile.
- Network (optional) - Enter the SSID name and Password for the default Wi-Fi network.
- Advanced Wi-Fi settings - Enter an SSID name and select the Security setting for this network. If applicable, enter a Password. Click Add another if you want to set up multiple Wi-Fi profiles. If necessary, a device can connect to a specified network with Proxy (optional) credentials delivered by Knox Configure using a proxy to communicate externally.
- MAC address type— Select whether you want to have a randomized MAC address or device MAC address for connectivity. Device MAC address makes devices ready to use when company WLAN uses MAC filtering. Default setting is randomized MAC. This feature is available on devices with Android-10 or higher.
- Disable Wi-Fi network blocking - Select this option to disable Wi-Fi network blocking for the defined SSID configuration. Samsung devices have Wi-Fi network blocking enabled by default, and disabling Wi-Fi network blocking may reduce AP connection and battery consumption issues for the specified SSID Wi-Fi configuration. This setting is available on Knox 3.5 and above supported devices, and XCover Pro devices running Knox version 3.4.1 and above.
- Disable Bluetooth - Select this setting to restrict the device user and third-party applications from invoking the device's Bluetooth feature.
- Default Bluetooth settings - Select Keep current settings to set the current device Bluetooth state as the default. Use On or Off to enforce a Bluetooth state and override current device Bluetooth settings.
- Disable Bluetooth discoverable mode - Select this option to disable the device's capability to search, connect and share data with other Bluetooth enabled devices.
- Disable Location - Select this option to completely disable location services through either Wi-Fi and mobile networks.
- Default location settings - This setting turns location tracking ON, OFF or keeps the current setting on the device as the default. Select Prevent user from changing location settings to prohibit the device use from changing the administrator defined location configuration once deployed to the device user.
- Disable Mock location - Selecting this option disables mock location applications within the developer options, and significantly reduces a user's ability to provide inaccurate device location information.
- Disable NFC - Select this option to disable all NFC settings on the device.
- Default NFC settings - Set the current NFC setting as the default, or turn NFC On or Off by default.
- Prevent users from changing NFC settings - Selecting this option restricts the device user from changing NFC settings locally on their device.
- Disable Airplane mode - Select this option to disable a device user's ability to disable Airplane mode on their device.
- Default Airplane mode settings - Either Keep current settings, or turn the airplane mode On or Off.
- Turn on mobile data - Turn mobile data ON, OFF, or keep the current setting on the device.
- Default Data when roaming - This setting permits admins to enable/disable device users from accessing and using carrier data when roaming. Turn default data roaming either On, Off, or Keep current settings (default setting). Selecting On and using mobile data when roaming could result in additional charges.
Set default USB connection type
Determine the connection type when the user connects the device to a computer via USB:
- Keep current settings
- MTP - Allows the user to copy files between the device and a computer.
- PTP - Picture Transfer Protocol, the computer treats the device as a camera. Allows photo editing programs and other software apps to access photos stored on the device.
- MIDI - Musical Instrument Digital Interface, a connection type used by electronic musical instruments and computers to communicate with each other.
- CHARGING - Allow the device to charge, but not transmit data.
Enable SIM lock
Enabling the SIM pin lock prevents the use of the device's corporate SIM card on any other device. Whenever the corporate device is powered on, it automatically unlocks the device's SIM card for this session. However, if the SIM card is removed and inserted into another device, it remains locked. An IT admin can set a PIN here to unlock the SIM card for use on a different device.
SIM 1 - Select Enable from the drop-down list and enter a PIN at least 4 characters long.
SIM 2 - This option is only applicable if you are deploying Knox Configure to dual-SIM supported devices. Select Enable from the drop-down list and enter a PIN that is at least 4 characters long. If necessary refer to the Restrictions section within the profile creation user interface to restrict users from swapping a 2nd device SIM.
Additional Device connectivity settings (Knox 3.4 and above devices only)
Select the Advanced Wi-Fi checkbox to display additional NFC beaming options for Knox 3.4 and above supported devices. Options include:
- Refer to the Switch to mobile data setting's On and Off options to use mobile data whenever the current Wi-Fi network is detected as slow or unstable.
- Use the Allow individual apps to switch On and Off options to switch apps to mobile data when a Wi-Fi connection cannot be established.
- Navigate to the Turn on Wi-Fi automatically On and Off options to enable Wi-Fi in places where Wi-Fi has been used frequently.
- Refer to the Detect suspicious networks On and Off options to receive notifications when suspicious activity is detected on the Wi-Fi network.
- Use the Wi-Fi power save mode On and Off options to reduce battery consumption by analyzing Wi-Fi traffic patterns.
- Navigate to the Hotspot 2.0 On and Off options to connect to Hotspot 2.0 supported access point resources without a password requirement.
The following are the device setting options available to phone and tablet devices:
- Locale — Select the language and country utilized by default for the device.
NOTE—The language and country pair chosen in the KC profile must be a language and country combination that is supported by the device. If not, it could result in a configuration error. You can check which language and country combination is supported in the language menu of your device settings.
- Time zone — Keep current settings or select the appropriate timezone for devices.
- Automatic Time Update — Set the device to automatically update its time and date information from a network resource.
- Keyboard - Select Customize keyboard options to enable the Predictive mode and Keyboard settings options. Once enabled, the predictive mode and keyboard settings options function independent from one another, so there are no constraints on using these options together.
- Predictive mode - Turn predictive mode On or Off as needed. Predictive mode attempts to complete a word on behalf of the user based on the initial characters entered when forming a word. This setting is only available on devices running Knox version 2.7.1 and above.
- Add keyboards - Add up to 5 third party keyboard on devices managed by Knox Configure using the Add keyboards setting. The appropriate keyboard application must also be installed on the device to be added successfully using Knox Configure.
- Hide Settings menu/elements - Hide the following items from the device settings menu:
- Backup and Reset
- Airplane mode
- Lock screen and security (Lock screen)
- Show the touch sensitivity in the quick panel — Provide an option for the user to change the touch sensitivity settings when utilizing the settings pane.
- Developer settings
- Disable USB debugging mode - When selected, developers cannot receive debugging information from their device or use ADB to push content or files to the device.
- Default USB debugging mode - Turn USB debugging mode On or Off by default or use the current setting as the default.
- Disable OMC mode - Prevent the device from being customized by a source other than Knox Configure (i.e. Open Market Customization).
- Power on the device when connected to a power source — Set devices to automatically power on when connected to a power source.
- Power off the device when disconnected from a power source - Select this option to automatically power off a device when disconnected from its power source. If a device is disconnected from a power source during startup, it will automatically shutdown even though its not connected to power. This feature only works when the device already powered and booted.
- Extend battery life by limiting the maximum charge when connected to a power source - Select this option to provide a maximum charge setting of 85% to avoid issues with keeping a tablet on its charger too long. When selected, a tablet device will stop charging once it reaches 85% of total available charge.
Refer to this portion of the Device settings profile configuration screen to remap hardware keys to launch a specified application, using either a long or short press action. Additionally, customizable hot key remapping combinations are also supported. For instance, launch one app with a short press action and another app with a long press action. When needed, select an available template for hot key mapping based on the intended key mapping configuration.
To remap hardware keys:
- Refer to the Remap hardware keys (XCover Pro and Tab Active series only) portion of the screen and select the ADD CONFIGURATION button.
- Use the Key mapping template drop-down menu to either select Microsoft Teams, to use a template with preconfigured settings, or Custom to create a unique custom key mapping configuration. The Microsoft Teams template provides a single click option to enable walkie talkie functionality with Microsoft Teams for XCover Pro and Tab Active series devices.
Set the following custom key mapping configuration:
- Key name — Specify whether the device's XCover key or Top key will launch the specified application using either a short or long button press.
- Key press type — Select whether a Short press or Long press hardware key press launches the selected application.
- Action type — Select either Launch application or Launch and exit as the action resulting from the specified short or long Key press type.
- Application package name — Correctly provide the package name launched by the selected XCover Pro or Tab Active series key and the selected key press type and action.
- Select DONE to save this particular key mapping configuration and optionally repeat this process to define additional key mapping configurations.
- When completed, review the configurations customized for specific key mapping templates, keys, key press types, actions, and applicable packages.
Language and input
Select the Language and input checkbox to display additional keyboard utilization settings for Knox 3.4 and above supported devices.
Refer to the Show keyboard button options to display a keyboard button on the device navigation bar for an easier toggle between mobile device keyboard resources. Once set, refer to the Allow user to change setting option to either Allow device user keyboard changes, Do not allow user changes or Do not allow and hide setting from user.
Select the Text-to-speech checkbox to display speech engine, pitch, and speech rate settings for Knox 3.4 and above supported devices.
- Refer to the Preferred engine drop-down menu to specify whether the Samsung text-to-speech Engine or Google Text-to-speech Engine is utilized as the speech recognition engine for text-to-speech conversion.
- Use the Pitch slider to set the text-to-speech pitch rate in the range of 25-400.
- Use the Speech rate slider to define the text-to-speech rate conversion used by the speech recognition engine. The setting is defined in the range of 10-600.
To set biometric device restrictions (facial recognition, fingerprint scanner and iris scanner) on supported models running Knox version 2.9 or higher: go to: Security settings.
- ALL — Disable all of the settings listed under Device functionality.
- Prevent end users from using the camera.
- Prevent video recording if the camera is enabled.
- Prevent end users from capturing the screen.
- Prevent end users from using the microphone.
- Prevent audio recording if the microphone is enabled.
- Prevent end users from receiving SMS
- Prevent end users from sending SMS
- Prevent end users from receiving MMS
- Prevent end users from sending MMS
- Prevent end users from using the clipboard.
- Prevent end users from accessing the Settings menu.
- Prevent end users from using 2nd SIM slot
Disable hardware keys
Enable or disable the following device hardware key functions as needed for this particular profile and its deployment objectives:
- ALL - Disables all hardware key functions.
- Volume up - Turn off Volume up hardware key functionality, rendering the device incapable of increasing its volume.
- Volume down - Turn off Volume down hardware key functionality, rendering the device incapable of decreasing its volume.
- Home - Disables the device's capability of returning to the home screen.
- Power - Disables the device's power key.
The following security settings enable an IT admin to restrict specific access and storage capabilities to reduce vulnerabilities. For information on disabling biometric authenticators (fingerprint scanner, iris scanner, and facial recognition) on supported device models running Knox 2.9 or higher, go to: Security settings.
- ALL - Disables all of the settings listed under Security.
- Disable SD card access - Prevents the device from reading data from a SD card or writing data to a SD card.
- Disable Software Updates (Firmware updates via Wi-Fi and Mobile networks). - Prevents the device from displaying software update notifications. Even if users have enabled automatic updates, these update packages will not downloaded to the device.
- Disable factory reset - Prevents a user from factory resetting their device. When factory reset, Wi-Fi, and mobile data is disabled in Knox Configure. Consequently, the device is no longer able to update the profile they are enrolled in, and are unable to unenroll if need be. The device requires a network connection be re-established to receive updates and changes from Knox server resources.
- Disable device power off for users. - Prevents the user from turning the device off. The device will only turn off if you disable this setting or if the battery level is critically low.
- Disable Multiple user mode. - Prevents more than one user account from being created.
- Disable Safe mode. - Safe mode prevents the device from running third-party apps. Select this option to prevent users from enabling Safe mode.
USB device restrictions
Set the following device USB restrictions for profile data security over the USB interface:
With Knox 2.9 and above supported devices using a dynamic edition profile, IT admins can additionally define which particular USB restriction classes to enable or disable for a profile.
- Disable USB Media Transfer Protocol (MTP) - MTP is a protocol that enables media files to be transferred automatically to and from mobile devices.
- Disable USB host storage - Selecting this option disables USB host storage in its entirety. Individual USB classes cannot be disabled is this option is selected.
- Disable the following USB classes - Select this option to disable specific USB classes (Audio, CDC data, Communications, Human interface device, Mass storage, Miscellaneous, Still image, Vendor specific, and Wireless Controller). Select Show Examples to review the USB data classes impacted with each checkbox option. If Disable USB hoist storage is selected, individual USB classes cannot be disabled.
Set the following roaming settings for this device profile and its data protection requirements:
- ALL — Disables all of the settings listed under Roaming.
- Prevent end users from using mobile data while roaming.
- Prevent end users from syncing while roaming.
- Prevent end users from receiving WAP push messages while roaming. — WAP messages direct users to web pages.
- Prevent end users from making voice calls while roaming.
Set the following data tethering settings to define how the profile shares Internet connection information with other mobile devices:
- ALL - Disables all of the settings listed under Tethering.
- Prevent end users from using Bluetooth tethering.
- Prevent end users from using USB tethering.
- Prevent end users from using Wi-Fi tethering.
Refer to the Security setting screen to disable some or all of the biometric authentication settings available to supported devices. To restrict end users from using other (non biometric) device functions, go to: Restrictions.
- ALL - Select All to disable fingerprint recognition, iris scanner and facial recognition device user authenticators
- Disable Fingerprint scanner - Disables a device's ability to use its fingerprint scanner as a user authenticator option
- Disable Iris scanner - Disables a device's ability to use its optical iris scanner as a user authenticator option
- Disable Face recognition - Disables a device's ability to use its facial recognition capability as a user authenticator option
- Disable password visibility when typing - Select this option to prohibit the display of the password characters when entering them on the mobile device.
Additional Security settings (Knox 3.4 and above devices only)
Select the Location checkbox to display additional Wi-Fi and Bluetooth scanning settings for Knox 3.4 and above supported devices. Once these options are set, refer to the Allow user to change setting option to either Allow device user password visibility changes, Do not allow user changes or Do not allow and hide setting from user.
- Wi-Fi scanning - Enable this setting to let applications use Wi-Fi for more efficient location detection, even when Wi-Fi is turned off.
- Bluetooth scanning - Enable this setting to let applications use Bluetooth for more efficient location detection, even when Bluetooth is turned off.
Other security settings
Select the Other security settings checkbox to display password visibility settings for Knox 3.4 and above supported devices. Select On to make password characters briefly visible as they are typed and hides them shortly thereafter. Selecting Off disables the feature. Once set, refer to the Allow user to change setting option to either Allow device user password visibility changes, Do not allow user changes or Do not allow and hide setting from user.
An Access Point Name (APN) is the gateway between a carrier providing 2G, 3G, or 4G mobile network service and the mobile device. Devices must be configured with the correct APN information to establish data connectivity. Only a single APN resource is available at one time, though an identical APN configuration with the same parameters can be defined.
If adding or editing an APN resource, provide the following configuration details:
Set as preferred APN - Select this option to make this APN the preferred Access Point resource supporting your device. This option is disabled by default.
- APN (Access Point Name)
- MCC (Mobile Country Code)
- MNC (Mobile Network Code)
- Authentication type
- None - No user credential validation exchanges are attempted.
- PAP - The Password Authentication Protocol (PAP) uses a static username and password for authentication purposes.
- CHAP - The Challenge Authentication Protocol (CHAP) creates a unique "challenge phrase" for each authentication attempt instead of using a standard username or password.
- PAP or CHAP
- APN Protocol
- IPv4/IPv6 - Both IPv4 and IPv6 formatted IP addresses are supported for the APN resource.
- APN roaming Protocol - Select whether the device should use an IPv4, IPv6 formatted network or both as a roaming protocol.
- Mobile virtual network operator type - Use the drop-down menu to select the appropriate mobile virtual network operator type (MVNO) allowing an APN configuration to be restricted when using particular MVNOs or subscriber accounts. Without the MVNO setting, custom defined APN configurations are selected according to MCC and MNC only, which specifies the mobile network a mobile device subscribes to, but not the particular retailer or reseller, or account on a network. Drop-down MVNO menu options include None, SPN (Service Provider Name), IMSI (International Mobile Subscriber Identity), or GID (Group Identifier Level 1). When a value other than None is selected, a MVNO value is also required.
- Mobile virtual network operator value - Set the value that either matches service provides name (SPN), the unique subscriber account (IMSI) or global identifier level 1. The MVNO value is not required if the MVNO type is set to None.
- MMS Proxy
- MMS Port
The Shared Devices feature allows multiple users to have their own profile, apps, and files on a single device. Users can log in with Active Directory credentials. Users cannot access data and settings for other users' profiles. A shared device configuration is optional and not required for profile creation in Knox Configure. For more information, go to: About Knox Configure shared devices.
- Select Enable Shared Device to upload the shared device agent on to the device.
- Choose Select button, and upload a Background image to display for the Shared Device login screen.
- Samsung recommends the Samsung Kerberos SSO authenticator for validating shared devices. Select the Enable Kerberos SSO checkbox to upload the Samsung Kerberos Authenticator for shared device validation. Optionally use the Upload XML configuration file setting to select and upload a XML formatted file. If you do not have a properly formatted configuration file, select Click here for sample XML file to display a sample file you can use for reference.
- Set the following Enterprise branding information to set shared device organizational logos and company name branding:
- Choose the Select button and set a Company logo to display on the shared device(s). Ensure the file utilized adheres to the listed image requirements and recommended dimensions.
- Enter a Company name for shared device utilization does that not exceed the 20 character maximum.
Devices supporting Knox version 2.9 or above support additional shared device configuration options not supported in earlier Knox versions. To set a shared device configuration on devices running Knox version 2.9 or above:
- Enable the Shared Device option to upload the required shared device agent to the device. Shared Device must be enabled to set the remaining options.
- Enter the AD domain name of the corporate Active Directory provisioning shared device accounts. When powering on, shared device users receive a prompt to log in with the credentials for this Active Directory domain. A successful login is required to access shared device resources.
- Choose Select, and upload a Background image for the Shared Device login screen. The selected image overwrites the image set in the Home and Lock screen field.
- Set the following Enterprise branding information to provide shared device organizational logos and company name:
- Choose the Select button and set a Company logo for shared device branding. Ensure the file utilized adheres to the listed image requirements and recommended dimensions.
- Enter a Company name (max. 20 characters) for shared device utilization does that not exceed the 20 character maximum.
- Set a Screen timeout (minutes) to define the maximum amount of time a shared device can remain idle before password credentials must be re-entered to resume access. The default setting is 120 minutes if left unspecified.
- Set a Maximum allowed screen lock attempts reached threshold to limit the number of failed lockscreen attempts permitted by shared devices. The default setting is 5 attempts if left unspecified.
- Select applications to prevent data clearing to add shared device application packages that are retained, and not cleared, once shared device mode is disabled. Select Add to include additional applications, or X to remove a selected package.
- Enable Kerberos SSO to upload Samsung's recommended Kerberos authenticator to the device.
Use Enterprise Billing to separate billing between enterprise apps and personal apps. The Knox Configure client will ignore E-billing configurations on devices running the Android Q version operating system and above. The Knox Configure console provides a warning for now unsupported status of E-billing on the Q version operating system.
Provide the following information:
- Profile name
- Applications in Personal mode - Enter the package names of apps used for business. Your enterprise is responsible for data costs incurred by these business apps.
- Roaming - Turn on to enable users to connect to data while roaming.
- APN1 - Add multiple APN resources if your device users have different service providers. The first applicable APN resource will be used by Enterprise Billing based on their service provider.
- If necessary, select CLEAR BILLING PROFILE & REVERT TO DEFAULT APN to use the default APN resource configuration.
For information on adding DeX mode support to a profile (either a Setup or Dynamic edition profile), go to: DeX mode support.
Devices supporting Knox version 3.4 and above have an additional set of advanced features configurable for a Setup edition profile. Each can be separately enabled
Enable Motions and gestures to display the following additional Advanced features for the Knox 3.4 or above supported profile. Each of the following can be turned On or Off for the profile, and has a separate drop-down menu to either Allow, or Do not allow device user changes or Do not allow and hide setting from user.
- Smart stay - When enabled, the screen remains unlocked as long as the device camera can detect your eyes looking at the screen. When you put the phone down or look away, the device will turn off based on the screen's current timeout settings.
- Smart alert - When enabled, smart alert informs the device user of missed calls and text messages by vibrating the phone when its picked up.
- Easy mute - When enabled, easy mute allows you to mute incoming calls and alarms by placing your hand on the screen. On Galaxy S8, S8+, S7 and S7 edge platforms you cam also mute calls and alarms by placing the phone face down on a flat surface.
- Palm swipe to capture - When enabled, this feature allows you swipe your hand across the device screen to capture the current device display. Once captured, the image resides in the screenshots album/folder in the gallery.
- Swipe to call or send messages - When enabled, this feature allows you to call or send messages by swiping your finger across a contact's information in the phone or address book.
On the left, review the settings configured for each category. Optionally select the General information and Additional EULA tabs to review the information entered. If you want to make any changes, click Back. Once you have verified the settings are correct, click Submit. Select Back to top from the lower, right-hand, side of a screen to navigate back to the top of that respective screen. Select the DOWNLOAD PROFILE SUMMARY AS A PDF option to archive the profile summary settings in PDF for potential re-use in creating profiles for other accounts.