Menu

Android Enterprise device commands

The available commands for a device vary based on its management mode. For Fully Managed with Work Profile devices, you can select either the whole device or just the Work Profile as the recipient of the command.

Device

Device command Description
Apply Latest Profiles Pushes and applies the latest profile and app information to the device.
Enable EAS (Samsung Email App Only) Allows using Exchange ActiveSync for Samsung Email app.
Disable EAS (Samsung Email App Only) Disallows using Exchange ActiveSync for Samsung Email app.
Lock Device

Locks the device. You can enter a reason for locking the device and a phone number to contact when the device is lost. The information you provide when sending a lock device command shows on the screen of the locked device. The following characters aren't supported in the lock screen message: \, ", [, and ].

NOTE — For non-Samsung Android devices, this policy is only supported on Android 8 and lower.
Unlock Device

Unlocks the device.

NOTE — For non-Samsung Android devices, this command is only supported on Android 8 and lower.
Lock Screen Locks the device screen. If the device's screen is password-locked, then the user needs to enter the password to access the device again.
Lock SIM PIN

Places a lock on the SIM card's PIN to prevent the use of the SIM card on another device.

To lock a SIM PIN, enter the current SIM PIN and then enter a new PIN. If the locked SIM card is registered to another device, the device is locked and the user must enter the new PIN to unlock it.

Unlock SIM PIN

Removes the lock placed on a SIM card's PIN.

To unlock a SIM PIN, enter the current PIN that was applied through Knox Manage, and then enter the initial (default) SIM PIN. You can find the current PIN on the Device Detail page > Network tab > SIM PIN applied by KM.

Factory Reset

Performs factory reset and changes the device status to Unenrolled.

Initialize SD Card when factory reset — Click the check box to initialize the SD card during a factory reset.

Deactivate Factory Reset Protection — This option is only available when the profile is applied with the Factory Reset Protection policy or when you send the command to multiple devices. Click the check box to perform a factory reset without the Factory Reset Protection policy.

Power Off Device

Turns off the device.

NOTE — Only Samsung Galaxy devices support this command, except devices running Android 10 and higher.
Reboot Device Reboots the device.
Reset Screen Password

Resets the lock on the device.

For devices running Android 8 and higher, the user must set a new lock before they can continue operating the device.

For devices running Android 7.1.2 and lower, a temporary password is set on the device. After resetting the lock, you must deliver the temporary password to the device user, after which they can set a new personalized lock. For full details about this temporary password process, see How to reset the lock on a device.

CAUTION — The device user can skip setting a new lock and continue using the temporary password indefinitely, which is a potential security risk. If possible, encourage them to set a new password.

This command fails to take effect if all of the following is true about the device:

  • It's fully managed
  • It's an FBE device
  • It's locked
  • It's running Android 9 with KM agent 20.11
Reset SD Card

Initializes the external SD card of the device.

NOTE — For devices whose External SD Card policy is set to Disallowed in the profile, you cannot reset the SD card using the device command, because the policy takes a higher priority than the device command.
Reset Data Usage

Resets data usage among the Android device's inventory information.

  • Wi-Fi transfer data, that is transfer data in or out using Wi-Fi
  • Network transfer data, that is transferred in or out
NOTE — Only Samsung Galaxy devices support this command, except devices running Android 10.
Reset Number of Calls Resets the number of calls and number of missed calls from the Android device's inventory information.
Delete a CA Certificate Deletes certificates installed by Knox Manage. You can select a certificate to delete.
Delete a User Certificate Deletes certificates installed by the administrator. You can select a certificate to delete.
Delete a User Install Certificate Deletes all the certificates installed by the administrator.

Application

Device command Description
Install or Update App

Installs or updates an app on the device. If the device user has uninstalled the app, then the app can't be re-installed by this command.

On the Request Command page, select an app to be installed or updated.

NOTE — The app installation allowlist and blocklist policy take precedence over this command. If an app is blocked, then this command can't install it.
Run App

Runs an app on the device.

IMPORTANT — The app installation allowlist and blocklist policy take precedence over this command. If an app is explicitly allowed, then this command can't uninstall it.
Uninstall App

Deletes an app from the device.

IMPORTANT — The app installation allowlist and blocklist policy take precedence over this command. If an app is explicitly allowed, then this command can't uninstall it.
Apply Latest internal App Information Sends the latest internal app information and updates the device according to the information.
Delete App Data Delete an app's data from the device.

Knox Manage

Device command Description
Push Notification

Sends an emergency message to the device. The message icon shows on the status bar of the device. You can set a push notification message of up to 80 characters.

On the Push Notification page, enter the title and content of the message. You can also select between Notification and Pop up for the send type.

NOTE
  • If the device is locked, you must unlock it to view popup pages.
  • Popup pages may not show on Work Profile devices running Android 10 and higher.
Unenroll Device Unenrolls a selected device on the device list.
Update License Updates the license of a selected device on the device list.
Update Knox Manage

Updates the Knox Manage agent on the device for a new patch or version.

The agent information registered in the KM server is sent to the device, which then selects the appropriate agent to request installation files from the server.

Update User Information

Updates the device user information, such as the user activation status/username/user settings (Knox Browser website URL information, bookmark information) and license information.

If the user is logged out from the enrolled device, you can send this device command to enable the user to log in to Knox Manage automatically.

Lock Screen of Knox Manage agent

Locks the Knox Manage agent.

When the agent is locked, the device user must enter the agent's password that was configured during enrollment. If the user forgets the password, you can send the Delete Account command to sign the user out. Then, they can reset the password upon sign in.

Unlock Knox Manage agent Unlocks the Knox Manage agent.
Delete Account Deletes the account registered in the Knox Manage agent.
Exit Kiosk Exits the Kiosk mode without unenrollment. You can find the status of the Kiosk mode on the Device Detail page > Security tab.
Convert License Convert the device's Knox Manage license to a Knox Suite license.
Collect Audit Log Collects the Knox Manage audit logs of the device. When the log size exceeds the maximum size, logs are automatically sent to the server, but the log file may be lost. For more detailed information, see View the audit list.
Collect Device Log Collects the logs of devices.
Collect Diagnosis Information

Collects the device log to diagnose the cause of device lock.

NOTE — Personally identifiable or sensitive information is data masked.
Collect Bug Report

Collect the device's bug report, also known as dumpstate logs.

The device user is then prompted to send the report, and they can choose whether to send it.

You can view the bug report by selecting the device and viewing its device log. Alternatively, you can go to History > Device Log and select the relevant device.

Reset Push Token

Creates and registers a new Firebase Cloud Messaging (FCM) token for the KM agent on the device.

Use this command in scenarios where the device can't receive push notifications, which typically occurs when the token changed on the KM server and the device was unable to sync it.

Register Managed Google Play Account

Assigns the Managed Google Play Account associated with your tenant to the device.

Use this command if the Managed Google Play Account wasn't registered on the device during enrollment.

Play Alarm Sound Sounds an alarm on the device until the device user takes action. On non-kiosk devices, the alarm is accompanied by a push notification from the KM agent, and on kiosk devices it is accompanied by a pop-up. The alarm sounds regardless of the device's mute and vibration settings.

Device Info.

Device command Description
Collect current location

Shows the current location of the device.

Sync Device Information

Updates the inventory and app information on the device.

Sync Installed App List

Pulls the device's app list.

Authenticate SIM Card Authenticates the SIM card on the device.
Authenticate SD Card Authenticates the external SD card on the device.
Attestation Checks if the device's OS has been compromised. The result of the check can be found in the device details.
SafetyNet Attestation Initiates a SafetyNet Attestation check, which evaluates the integrity of the hardware and software of the device. The specifics of the evaluation depend on the device's Android version. The result of the evaluation can be found in the device details.