Home / Knox Guard / How-to guides / Manage policies / Common /

SIM control policy

Last updated June 4th, 2026

On this tab

This feature is only available upon request. Please contact your Knox Guard admin.

The SIM control policy allows you to configure a default group of settings that restrict SIM functionality or lock devices with unlisted SIM cards.

Each mobile device carrier has their own unique MCC and MNC pair. SIM cards that match the MCC and MNC pairs allowlisted using this policy can be used without restrictions. You can list a maximum of 50 MCC and MNC pairs.

For dual-SIM devices, restrictions only apply to the unlisted SIM card. Up to a maximum of 10 SIM control policies can be set.

To update this policy for select devices, see Enable and disable SIM control.

Set a default SIM control configuration

To set a default SIM control configuration:

  1. Navigate to the Policies page.

  2. Under ADVANCED CONTROLS, click SIM CONTROL.

    SIM control screen showing policy options

  3. Enter a Policy name.

  4. Enter the MCC, MNC, and GID1 (Optional) numbers to allowlist.

  5. If desired, configure your SIM control restrictions for unlisted SIM cards:

    Restriction Result
    Make outgoing calls Restricts the device's ability to make phone calls.
    Receive incoming calls Restricts the device's ability to receive phone calls.
    Send or receive SMS/MMS/RCS Restricts the device's ability to send and receive text messages.
    Data usage Prevents apps on the device from consuming mobile data.
    Check the insert allowed SIM (Apply it when the allowed SIM is inserted) If the device is dual-SIM and an allowed SIM card is present, allows the other SIM to use restricted features. You can select which features to allow.
    Apply the above restrictions when international roaming is in use Restricts the device's phone, text, and data usage when connecting to a mobile network in a country other than the device's original country of deployment. This setting applies to restricted SIMs in a dual-SIM device only.
    RESTRICTED ACTION NOTIFICATION If you've configured restrictions for devices with unlisted MCC/MNC numbers, this notification appears when an unsupported SIM card is inserted. Enter a Title and Message that clearly states why restrictions were applied, and what action(s) device users can take to remove these limitations.
    Lock device

    Locks the device in order to prevent the usage of unlisted SIM cards.

    The available sub-settings are:

    • Turn on network registration verification: Validates that a blocked SIM card is not being misused by verifying that the connected network matches the allowlisted networks (via MCC/MNC).
    • Locked device message: Message that displays on devices locked by the SIM control policy. Your message should clearly state why the device was locked, and what action(s) device users should take to unlock their device.
    • Block incoming calls when device is locked: You can add phone numbers that are allowed to call.
    • Allow PIN Code unlock: Allows the SIM locked device to be unlocked using a PIN. For more information, see Lock and unlock devices.

  6. Click SAVE.

Delete SIM control policy

You can only delete a policy if it isn’t currently applied to any device.

To delete a SIM control policy:

  1. Navigate to the Policies page.

  2. Under ADVANCED CONTROLS, select SIM CONTROL.

  3. Click the X next to the SIM control policy you want to delete.

    SIM control screen showing policy delete buttons

This document was updated for the Knox cloud services 26.06 UAT.

On this tab

This feature is only available upon request. To use this feature, contact your Knox Guard admin.

The SIM control policy allows you to configure a default group of settings that restrict SIM functionality or lock devices with unlisted SIM cards.

How SIM control works

Each mobile device carrier has their own unique Mobile Country Code (MCC) and Mobile Network Code (MNC) pair. Any physical or digital SIMs that match the MCC and MNC pairs allowlisted using this policy can be used without restrictions.

If the device’s SIM doesn’t match any of the allowlisted pairs, Knox Guard applies restrictions configured using this policy to this device. For dual-SIM devices, restrictions only apply to the unlisted SIM.

When configuring the SIM control policy, you can allowlist up to 50 MCC and MNC pairs, and configure up to 10 SIM control policies.

To apply SIM controls to a device, you must:

  1. Configure your tenant-wide SIM control policy settings.
  2. Enable SIM controls on a device using device actions, or through bulk actions.
  3. To update or switch the policy applied to a device, you must disable, then re-enable the SIM control policy.

Set the SIM control policy

To set a SIM control configuration:

  1. Navigate to the Policies page.

  2. Under ADVANCED CONTROLS, click SIM CONTROL.

    SIM control policy settings.

  3. Enter a Policy name.

  4. Enter the MCC, MNC, and GID1 (Optional) numbers to allowlist.

  5. If desired, configure your SIM control restrictions for unlisted SIM cards:

    Restriction Result
    Make outgoing calls Restricts the device's ability to make phone calls.
    Receive incoming calls Restricts the device's ability to receive phone calls.
    Send or receive SMS/MMS/RCS Restricts the device's ability to send and receive text messages.
    Data usage Prevents apps on the device from consuming mobile data.
    Check the insert allowed SIM (Apply it when the allowed SIM is inserted) If the device is dual-SIM and an allowlisted SIM is present, permits the other SIM to use restricted features. You can select which features to allow.
    Apply the above restrictions when international roaming is in use Restricts the device's phone, text, and data usage when connecting to a mobile network in a country other than the device's original country of deployment. This setting applies to restricted SIMs in a dual-SIM device only.
    RESTRICTED ACTION NOTIFICATION If you've configured restrictions for devices with unlisted MCC/MNC numbers, this notification appears when an unsupported SIM is inserted. Enter a Title and Message that clearly states why restrictions were applied, and what action(s) device users can take to remove these limitations.

  6. To restrict the usage of any device with an unlisted or missing SIM, check Lock device and configure additional restrictions as desired.

    Lock device settings in SIM control policy.

    Restriction Result
    Turn on mobile number (IMSI) lock If enabled, restricts the device to only one IMSI number. For more information, see the Mobile number (IMSI) lock section.
    Turn on network registration verification Validates that a blocked SIM isn't being misused by verifying that the connected network matches the allowlisted networks (via MCC/MNC).
    Locked device message Message that displays on devices locked by the SIM control policy. Your message should clearly state why the device was locked, and what action(s) device users should take to unlock their device.
    Block incoming calls when device is locked Device users can only receive phone calls from the specified numbers.
    Allow PIN code unlock Allows the SIM locked device to be unlocked using a PIN. For more information, see Lock and unlock devices.

  7. Click SAVE.

Mobile number (IMSI) lock

In addition to applying restrictions, you can also configure the SIM control policy to restrict devices to a single mobile number (IMSI).

IMSI mobile number lock in the SIM control policy.

If enabled, each device can only be associated with one IMSI number.

  • The device is associated with the IMSI number of the SIM present during Knox Guard activation, or the first SIM added following activation.
  • If the device has both a physical SIM and an eSIM, Knox Guard associates the device with the information stored on the physical SIM.
  • If the device has two eSIMs, Knox Guard associates the device with the eSIM currently inserted into Slot 0.

The device remains unlocked as long as its designated SIM is inserted. If the designated SIM isn’t inserted, it locks.

Configure IMSI lock settings

To configure your IMSI lock settings:

  1. Navigate to the Policies page.

  2. Under ADVANCED CONTROLS, click SIM CONTROL.

  3. On the SIM control page that opens, select the Lock device box.

  4. Select the Turn on mobile number (IMSI) lock box. This restricts devices to one IMSI number.

  5. To customize your IMSI lock settings, on the top-right drop-down, switch to the MOBILE NUMBER LOCK tab.

    SIM control policy switch from IMSI lock to mobile number lock.

  6. Configure your IMSI lock settings:

    Restriction Result
    Locked device message Message that displays on devices locked by the IMSI lock. Your message should clearly state why the device was locked, and what action(s) device users should take to unlock their device.
    Block incoming calls when device is locked Device users can only receive phone calls from the specified numbers.
    Allow PIN code unlock Allows the IMSI locked device to be unlocked using a PIN. For more information, see Lock and unlock devices.

  7. Review your CUSTOMER SUPPORT OPTIONS.

    • Contact information: You must provide either a phone number or email address customers can use to contact you.
    • Advanced support options: Review your advanced support settings. You can edit these options using the Lock screen policy.

  8. Click SAVE.

Is this page helpful?