Basics
The Knox Ecosystem
White Paper
- Introduction
  - The Samsung Knox Platform
  - Feature Summary
- Core Platform Security
- Network Security
  - Virtual Private Networks
  - Network Platform Analytics
- Certificate Management
- Device Management
- User Authentication
  - Biometric Authentication
- App and Data Protection
- Appendix
Samsung Knox Portal
Knox Cloud Services
- Sign in with SSO
General Knox Support
Knox Licenses
For IT admins
Knox Admin Portal
- About
- Introduction
  - Select Knox services
- Features
- Knox Remote Support
- Release notes
Knox Suite
- Introduction
- How-to videos
- Get started
- Learn more about Knox Suite
- Enterprise Edition devices
- FAQ
- KBAs
Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
  - Before you begin
  - User agreements for Android device management
- Get started with UEMs
- Knox Service Plugin
- Release notes
- Migrate to Android 11
  - Device management modes
  - Prepare Knox for Android 11
- FAQs
- Troubleshoot
  - Get device logs
- KBAs
Knox Mobile Enrollment
- Introduction
- Get started
- Features
- Release notes
- FAQ
- Troubleshoot
  - Get support
- KBAs
- On-Premise
Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- End users: Get started
  - Getting started with Knox Capture
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
Knox Asset Intelligence
- Introduction
- Get started
- Set up reported device data
- Features
- Troubleshoot
  - Device-side errors
  - Portal-side errors
- Real-time location service
- Release notes
- FAQ
- KBAs
Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
  - Install an app to devices through an EMM
  - EMM compatibility matrix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
  - Knox E-FOTA Advanced
  - Knox E-FOTA on MDM
Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Release notes
- FAQ
- KBAs
- Support
Samsung Care+ for Business
- Introduction
- Get started
- Submit claim
- Features
- Release notes
- FAQ
- KBAs
For Knox Partners
Knox Deployment Program
Knox MSP Program

Android Enterprise device commands

The available commands for a device vary based on its management mode. For fully managed with work profile devices, you can select either the whole device or just the work profile as the recipient of the command.

Device

Device command	Description	Supported system
Apply Latest Profiles	Pushes and applies the latest profile and app information to the device.	Android 6 and higher Shared device Non-shared device
Enable EAS (Samsung Email App Only)	Allows using Exchange ActiveSync for Samsung Email app.	Work profile — Android 6 and higher
Disable EAS (Samsung Email App Only)	Disallows using Exchange ActiveSync for Samsung Email app.	Work profile — Android 6 and higher
Lock Device	Locks the device. You can enter a reason for locking the device and a phone number to contact when the device is lost. The information you provide when sending a lock device command shows on the screen of the locked device. The following characters aren't supported in the lock screen message: \, ", [, and ].	Non-Samsung device — Android 6–8 Samsung device — Android 6 and higher Non-shared device
Unlock Device	Unlocks the device.	Non-Samsung device — Android 6–8 Samsung device — Android 6 and higher Non-shared device
Lock Screen	Locks the device screen. If the device's screen is password-locked, then the user needs to enter the password to access the device again.	Android 6 and higher Non-shared device
Lock SIM PIN	Places a lock on the SIM card's PIN to prevent the use of the SIM card on another device. To lock a SIM PIN, enter the current SIM PIN and then enter a new PIN. If the locked SIM card is registered to another device, the device is locked and the user must enter the new PIN to unlock it.
Unlock SIM PIN	Removes the lock placed on a SIM card's PIN. To unlock a SIM PIN, enter the current PIN that was applied through Knox Manage, and then enter the initial (default) SIM PIN. You can find the current PIN on the Device Details page > Network tab > SIM PIN applied by KM.	Android 6 and higher
Factory Reset	Performs a factory reset on the device and changes the device status to Unenrolled. Initialize SD Card when factory reset — Select to initialize the SD card during the factory reset. Deactivate Factory Reset Protection — This option is only available when the profile is applied with the Factory Reset Protection policy or when you send the command to multiple devices. Click the check box to perform a factory reset without the Factory Reset Protection policy.	Android 6 and higher Non-shared device
Power Off Device	Turns off the device.	Non-Samsung device — Android 10 and higher Samsung device — Android 6 and higher Non-shared device
Reboot Device	Reboots the device.	Android 6 and higher Non-shared device
Reset Screen Password	Resets the lock on the device. For devices running Android 8 and higher, the user must set a new lock before they can continue operating the device. For devices running Android 6–7.1.2, a temporary password is set on the device. After resetting the lock, you must deliver the temporary password to the device user, after which they can set a new personalized lock. For full details about this temporary password process, see How to reset the lock on a device. CAUTION — The device user can skip setting a new lock and continue using the temporary password indefinitely, which is a potential security risk. If possible, encourage them to set a new password. This command fails to take effect if the device meets all of these conditions: Fully managed FBE device Locked Running Android 9	Android 6 and higher
Reset SD Card	Initializes the external SD card of the device. NOTE — For devices with the External SD Card policy is set to Disallowed in the profile, you can't reset the SD card using the device command, because the policy takes a higher priority than the device command.	Android 6 and higher
Reset Data Usage	Resets data usage among the Android device's inventory information: All network traffic Wi-Fi traffic	Non-Samsung device — Android 10 and higher Samsung device — Android 6 and higher
Reset Number of Calls	Resets the number of calls and number of missed calls from the Android device's inventory information.	Android 6 and higher
Delete a CA Certificate	Deletes certificates installed by Knox Manage. You can select a certificate to delete.	Android 6 and higher
Delete a User Certificate	Deletes certificates installed by the administrator. You can select a certificate to delete.	Android 6 and higher
Delete a User Install Certificate	Deletes all the certificates installed by the administrator.	Android 6 and higher
Delete a Work Profile CA Certificate	Deletes certificates installed by Knox Manage to the work profile. You can select a certificate to delete.	Android 6 and higher Shared device
Delete a Work Profile User Certificate	Deletes certificates installed by the administrator to the work profile. You can select a certificate to delete.	Android 6 and higher Shared device
Delete a Work Profile User Install Certificate	Deletes all the certificates installed by the administrator to the work profile.	Android 6 and higher Shared device

Application

Device command	Description	Supported system
Install or Update App	Installs or updates an app on the device. If the device user has uninstalled the app, then the app can't be re-installed by this command. On the Request Command page, select an app to be installed or updated. NOTE — The app installation allowlist and blocklist policy take precedence over this command. If an app is blocked, then this command can't install it.	Android 6 and higher Shared device Non-shared device
Run App	Runs an app on the device. IMPORTANT — The app installation allowlist and blocklist policy take precedence over this command. If an app is explicitly allowed, then this command can't uninstall it.	Android 6 and higher Shared device
Uninstall App	Deletes an app from the device. IMPORTANT — The app installation allowlist and blocklist policy take precedence over this command. If an app is explicitly allowed, then this command can't uninstall it.	Android 6 and higher Shared device Non-shared device
Apply Latest internal App Information	Sends the latest internal app information and updates the device according to the information.	Android 6 and higher
Delete App Data	Delete an app's data from the device.	Android 6 and higher Shared device Non-shared device

Work Profile Controls

Device command	Description	Supported system
Reset Work Profile Password	Initializes the work profile lock, if available. The device user must set a new lock before they can access work profile apps.	Android 6 and higher Shared device
Lock Screen	If the work profile has a lock separate from the personal profile, it locks. The next time the device user accesses a work profile app, they must unlock the work profile before they can continue.	Android 6 and higher Shared device

Device command

Description

Supported system

Reset Work Profile Password

Initializes the work profile lock, if available. The device user must set a new lock before they can access work profile apps.

Android 6 and higher

Shared device

Lock Screen

If the work profile has a lock separate from the personal profile, it locks. The next time the device user accesses a work profile app, they must unlock the work profile before they can continue.

Android 6 and higher

Shared device

Knox Manage

Device command	Description	Supported system
Push Notification	Sends an emergency message to the device. The message icon shows on the status bar of the device. You can set a push notification message of up to 80 characters. On the Push Notification page, enter the title and content of the message. You can also select between Notification and Pop up for the send type. NOTE If the device is locked, you must unlock it to view popup pages. Popup pages may not show on work profile devices running Android 10 and higher.	Android 6 and higher Shared device
Unenroll Device	Unenrolls a selected device on the device list.	Android 6 and higher Shared device Non-shared device
Update License	Updates the license of a selected device on the device list.	Android 6 and higher Non-shared device
Update Knox Manage Agent	Updates the Knox Manage agent on the device for a new patch or version. The agent information registered in the Knox Manage server is sent to the device, which then selects the appropriate agent to request installation files from the server.	Android 6 and higher Non-shared device
Update User Information	Updates the device user information, such as the user activation status/username/user settings (Knox Browser website URL information, bookmark information) and license information. If the user is logged out from the enrolled device, you can send this device command to enable the user to log in to Knox Manage automatically.	Android 6 and higher Shared device
Lock Screen of Knox Manage Agent	Locks the Knox Manage agent. When the agent is locked, the device user must enter the agent's password that was configured during enrollment. If the user forgets the password, you can send the Delete Account command to sign the user out. Then, they can reset the password upon sign in.	Android 6 and higher
Unlock Knox Manage Agent	Unlocks the Knox Manage agent.	Android 6 and higher
Delete Account	Deletes the account registered in the Knox Manage agent.	Android 6 and higher Shared device
Exit Kiosk	Exits Kiosk mode without unenrolling the device. You can find the status of the kiosk on the Knox Manage console, on Device Details page > Security tab.	Android 6 and higher
Exit non-shared device mode	Disables the sign-in screen of non-shared mode, allowing the device's primary account to be used.	Android 6 and higher Non-shared device
Convert License	Convert the device's Knox Manage license to a Knox Suite license.	Android 6 and higher Non-shared device
Collect Audit Log	Collects the Knox Manage audit logs of the device. When the log size exceeds the maximum size, logs are automatically sent to the server, but the log file may be lost. For more detailed information, see View the audit list.	Android 6 and higher Shared device Non-shared device
Collect Device Log	Gathers the log data from the device.	Android 6 and higher Shared device
Collect Diagnosis Information	Gathers the device log to diagnose the cause of a device lock. NOTE — Personally identifiable or sensitive information is masked.	Android 6 and higher Shared device Non-shared device
Collect Bug Report	Collect the device's bug report, also known as dumpstate logs. The device user is then prompted to send the report, and they can choose whether to send it. You can view the bug report by selecting the device and viewing its device log. Alternatively, you can go to History > Device Log and select the relevant device.	Android 6 and higher Non-shared device
Reset Push Token	Creates and registers a new Firebase Cloud Messaging (FCM) token for the Knox Manage agent on the device. Use this command in scenarios where the device can't receive push notifications, which typically occurs when the token changed on the Knox Manage server and the device was unable to sync it.	Android 6 and higher Non-shared device
Register Managed Google Play Account	Assigns the Managed Google Play Account associated with your tenant to the device. Use this command if the Managed Google Play Account wasn't registered on the device during enrollment.	Android 6 and higher
Play Alarm Sound	Sounds an alarm on the device until the device user takes action. On a non-kiosk device, the alarm is accompanied by a push notification from the Knox Manage agent. On a kiosk, it's accompanied by a popup. The alarm sounds regardless of the device's mute and vibration settings.	Android 6 and higher
Reapply KSP Wi-Fi Configurations	Syncs all Wi-Fi configurations defined by Knox Service Plugin policies. This command is helpful in situations where the device user has removed a configured Wi-Fi network from the network settings.	Android 6 and higher
Check Out User	Forces the user session to end on a shared device.	Android 6 and higher Shared device

Device Info Sync

Device command	Description	Supported system
Collect HW Status	Gathers the latest hardware information from the device.	Android 6 and higher Shared device
Collect current location	Gathers current location data from the device.	Android 6 and higher Shared device
Sync Device Information	Updates the inventory and app information on the device.	Android 6 and higher Shared device Non-shared device
Sync Installed App List	Pulls the device's app list.	Android 6 and higher Shared device Non-shared device
Authenticate SIM Card	Authenticates the SIM card on the device.	Android 6 and higher
Authenticate SD Card	Authenticates the external SD card on the device.	Work profile — Android 6 and higher
Attestation	Checks if the device's OS is compromised. The result of the check can be found in the device details.	Android 6 and higher
SafetyNet Attestation	Initiates a SafetyNet Attestation check, which evaluates the integrity of the hardware and software of the device. The specifics of the evaluation depend on the device's Android version. The result of the evaluation can be found in the device details.	Android 6 and higher Shared device