Menu

Android Enterprise device commands

The available commands for a device vary based on its management mode. For fully managed with work profile devices, you can select either the whole device or just the work profile as the recipient of the command.

Device

Device command Description Supported system
Apply Latest Profiles Pushes and applies the latest profile and app information to the device.

Android 6 and higher

Shared device

Non-shared device

Enable EAS (Samsung Email App Only) Allows using Exchange ActiveSync for Samsung Email app. Work profile — Android 6 and higher
Disable EAS (Samsung Email App Only) Disallows using Exchange ActiveSync for Samsung Email app. Work profile — Android 6 and higher
Lock Device

Locks the device. You can enter a reason for locking the device and a phone number to contact when the device is lost. The information you provide when sending a lock device command shows on the screen of the locked device. The following characters aren't supported in the lock screen message: \, ", [, and ].

Non-Samsung device — Android 6–8

Samsung device — Android 6 and higher

Non-shared device

Unlock Device

Unlocks the device.

Non-Samsung device — Android 6–8

Samsung device — Android 6 and higher

Non-shared device

Lock Screen Locks the device screen. If the device's screen is password-locked, then the user needs to enter the password to access the device again.

Android 6 and higher

Non-shared device

Lock SIM PIN

Places a lock on the SIM card's PIN to prevent the use of the SIM card on another device.

To lock a SIM PIN, enter the current SIM PIN and then enter a new PIN. If the locked SIM card is registered to another device, the device is locked and the user must enter the new PIN to unlock it.

Unlock SIM PIN

Removes the lock placed on a SIM card's PIN.

To unlock a SIM PIN, enter the current PIN that was applied through Knox Manage, and then enter the initial (default) SIM PIN. You can find the current PIN on the Device Details page > Network tab > SIM PIN applied by KM.

Android 6 and higher
Factory Reset

Performs a factory reset on the device and changes the device status to Unenrolled.

Initialize SD Card when factory reset — Select to initialize the SD card during the factory reset.

Deactivate Factory Reset Protection — This option is only available when the profile is applied with the Factory Reset Protection policy or when you send the command to multiple devices. Click the check box to perform a factory reset without the Factory Reset Protection policy.

Android 6 and higher

Non-shared device

Power Off Device

Turns off the device.

Non-Samsung device — Android 10 and higher

Samsung device — Android 6 and higher

Non-shared device

Reboot Device Reboots the device.

Android 6 and higher

Non-shared device

Reset Screen Password

Resets the lock on the device.

For devices running Android 8 and higher, the user must set a new lock before they can continue operating the device.

For devices running Android 6–7.1.2, a temporary password is set on the device. After resetting the lock, you must deliver the temporary password to the device user, after which they can set a new personalized lock. For full details about this temporary password process, see How to reset the lock on a device.

CAUTION — The device user can skip setting a new lock and continue using the temporary password indefinitely, which is a potential security risk. If possible, encourage them to set a new password.

This command fails to take effect if the device meets all of these conditions:

  • Fully managed
  • FBE device
  • Locked
  • Running Android 9
Android 6 and higher
Reset SD Card

Initializes the external SD card of the device.

NOTE — For devices with the External SD Card policy is set to Disallowed in the profile, you can't reset the SD card using the device command, because the policy takes a higher priority than the device command.
Android 6 and higher
Reset Data Usage

Resets data usage among the Android device's inventory information:

  • All network traffic
  • Wi-Fi traffic

Non-Samsung device — Android 10 and higher

Samsung device — Android 6 and higher

Reset Number of Calls Resets the number of calls and number of missed calls from the Android device's inventory information. Android 6 and higher
Delete a CA Certificate Deletes certificates installed by Knox Manage. You can select a certificate to delete. Android 6 and higher
Delete a User Certificate Deletes certificates installed by the administrator. You can select a certificate to delete. Android 6 and higher
Delete a User Install Certificate Deletes all the certificates installed by the administrator. Android 6 and higher
Delete a Work Profile CA Certificate Deletes certificates installed by Knox Manage to the work profile. You can select a certificate to delete.

Android 6 and higher

Shared device

Delete a Work Profile User Certificate Deletes certificates installed by the administrator to the work profile. You can select a certificate to delete.

Android 6 and higher

Shared device

Delete a Work Profile User Install Certificate Deletes all the certificates installed by the administrator to the work profile.

Android 6 and higher

Shared device

Application

Device command Description Supported system
Install or Update App

Installs or updates an app on the device. If the device user has uninstalled the app, then the app can't be re-installed by this command.

On the Request Command page, select an app to be installed or updated.

NOTE — The app installation allowlist and blocklist policy take precedence over this command. If an app is blocked, then this command can't install it.

Android 6 and higher

Shared device

Non-shared device

Run App

Runs an app on the device.

IMPORTANT — The app installation allowlist and blocklist policy take precedence over this command. If an app is explicitly allowed, then this command can't uninstall it.

Android 6 and higher

Shared device

Uninstall App

Deletes an app from the device.

IMPORTANT — The app installation allowlist and blocklist policy take precedence over this command. If an app is explicitly allowed, then this command can't uninstall it.

Android 6 and higher

Shared device

Non-shared device

Apply Latest internal App Information Sends the latest internal app information and updates the device according to the information. Android 6 and higher
Delete App Data Delete an app's data from the device.

Android 6 and higher

Shared device

Non-shared device

Work Profile Controls

Device command Description Supported system
Reset Work Profile Password Initializes the work profile lock, if available. The device user must set a new lock before they can access work profile apps.

Android 6 and higher

Shared device

Lock Screen If the work profile has a lock separate from the personal profile, it locks. The next time the device user accesses a work profile app, they must unlock the work profile before they can continue.

Android 6 and higher

Shared device

Knox Manage

Device command Description Supported system
Push Notification

Sends an emergency message to the device. The message icon shows on the status bar of the device. You can set a push notification message of up to 80 characters.

On the Push Notification page, enter the title and content of the message. You can also select between Notification and Pop up for the send type.

NOTE

  • If the device is locked, you must unlock it to view popup pages.
  • Popup pages may not show on work profile devices running Android 10 and higher.

Android 6 and higher

Shared device

Unenroll Device Unenrolls a selected device on the device list.

Android 6 and higher

Shared device

Non-shared device

Update License Updates the license of a selected device on the device list.

Android 6 and higher

Non-shared device

Update Knox Manage Agent

Updates the Knox Manage agent on the device for a new patch or version.

The agent information registered in the Knox Manage server is sent to the device, which then selects the appropriate agent to request installation files from the server.

Android 6 and higher

Non-shared device

Update User Information

Updates the device user information, such as the user activation status/username/user settings (Knox Browser website URL information, bookmark information) and license information.

If the user is logged out from the enrolled device, you can send this device command to enable the user to log in to Knox Manage automatically.

Android 6 and higher

Shared device

Lock Screen of Knox Manage Agent

Locks the Knox Manage agent.

When the agent is locked, the device user must enter the agent's password that was configured during enrollment. If the user forgets the password, you can send the Delete Account command to sign the user out. Then, they can reset the password upon sign in.

Android 6 and higher
Unlock Knox Manage Agent Unlocks the Knox Manage agent. Android 6 and higher
Delete Account Deletes the account registered in the Knox Manage agent.

Android 6 and higher

Shared device

Exit Kiosk Exits Kiosk mode without unenrolling the device. You can find the status of the kiosk on the Knox Manage console, on Device Details page > Security tab. Android 6 and higher
Exit non-shared device mode Disables the sign-in screen of non-shared mode, allowing the device's primary account to be used.

Android 6 and higher

Non-shared device

Convert License Convert the device's Knox Manage license to a Knox Suite license.

Android 6 and higher

Non-shared device

Collect Audit Log Collects the Knox Manage audit logs of the device. When the log size exceeds the maximum size, logs are automatically sent to the server, but the log file may be lost. For more detailed information, see View the audit list.

Android 6 and higher

Shared device

Non-shared device

Collect Device Log Gathers the log data from the device.

Android 6 and higher

Shared device

Collect Diagnosis Information

Gathers the device log to diagnose the cause of a device lock.

NOTE — Personally identifiable or sensitive information is masked.

Android 6 and higher

Shared device

Non-shared device

Collect Bug Report

Collect the device's bug report, also known as dumpstate logs.

The device user is then prompted to send the report, and they can choose whether to send it.

You can view the bug report by selecting the device and viewing its device log. Alternatively, you can go to History > Device Log and select the relevant device.

Android 6 and higher

Non-shared device

Reset Push Token

Creates and registers a new Firebase Cloud Messaging (FCM) token for the Knox Manage agent on the device.

Use this command in scenarios where the device can't receive push notifications, which typically occurs when the token changed on the Knox Manage server and the device was unable to sync it.

Android 6 and higher

Non-shared device

Register Managed Google Play Account

Assigns the Managed Google Play Account associated with your tenant to the device.

Use this command if the Managed Google Play Account wasn't registered on the device during enrollment.

Android 6 and higher
Play Alarm Sound Sounds an alarm on the device until the device user takes action. On a non-kiosk device, the alarm is accompanied by a push notification from the Knox Manage agent. On a kiosk, it's accompanied by a popup. The alarm sounds regardless of the device's mute and vibration settings. Android 6 and higher
Reapply KSP Wi-Fi Configurations Syncs all Wi-Fi configurations defined by Knox Service Plugin policies. This command is helpful in situations where the device user has removed a configured Wi-Fi network from the network settings. Android 6 and higher
Check Out User Forces the user session to end on a shared device.

Android 6 and higher

Shared device

Device Info Sync

Device command Description Supported system
Collect HW Status Gathers the latest hardware information from the device.

Android 6 and higher

Shared device

Collect current location Gathers current location data from the device.

Android 6 and higher

Shared device

Sync Device Information Updates the inventory and app information on the device.

Android 6 and higher

Shared device

Non-shared device

Sync Installed App List Pulls the device's app list.

Android 6 and higher

Shared device

Non-shared device

Authenticate SIM Card Authenticates the SIM card on the device. Android 6 and higher
Authenticate SD Card Authenticates the external SD card on the device. Work profile — Android 6 and higher
Attestation Checks if the device's OS is compromised. The result of the check can be found in the device details. Android 6 and higher
SafetyNet Attestation Initiates a SafetyNet Attestation check, which evaluates the integrity of the hardware and software of the device. The specifics of the evaluation depend on the device's Android version. The result of the evaluation can be found in the device details.

Android 6 and higher

Shared device