Menu

Android Enterprise Policies

This section describes the policies you can configure for Android Enterprise devices.

Knox Manage supports four types of Android Enterprise devices — Fully Managed, Work Profile, Fully Managed with Work Profile, and Work Profile on Company-owned Devices.

NOTE — Until KM v20.11, KM only supported Android Enterprise policies for device management. Starting with KM 21.1, for devices running a Work Profile on a company-owned device, KM now supports Knox policies.
Type Description
Fully Managed Controls the whole device.
Work Profile Controls only designated work areas.
Fully Managed with Work Profile Controls both the personal and work areas and applies different policies to each of them. (Supported version — Android 10 or lower.)
Work Profile on Company-owned Devices Controls both the personal and work areas, and applies different policies to each of them. (Supported version — Android 11 or higher.)
NOTE — Some policies support only Samsung Galaxy devices.

The availability of each policy varies depending on the enrollment type and the OS version. IT admins can also choose to turn on the Highlight Work Profile on Company-owned Devices Profile Only setting to show the available policies highlighted in blue.

System

Provides backup and restore settings and other features. Updates the operating system on a device.

Interface

Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.

Security

Configures the security settings, such as SafetyNet attestation, Multifactor authentication, and screen timeout.

Password

Configures password and device lock screen settings.

Kiosk

Configures Kiosk applications on a Kiosk device and controls the device settings.

Application

Configures options for application controls such as installation, verification, and permission.

Location

Allows the use of GPS or collecting location data from a device.

Phone

Configures the phone settings, such as airplane mode, the microphone settings, and the cellular network settings.

Container

Allows data transfers within the Work Profile or with other devices.

Factory Reset Protection

Configures the security policy to prevent the unauthorized use of a device after a factory reset.

Secure Browser

Configures the Secure Browser app. If you enable Secure Browser on a device, the KM Secure Browser app is automatically installed right after the Knox Manage agent is enrolled.

NOTE — This is a Premium feature. To be able to use it, the device must be enrolled under a Knox Suite license.

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

VPN

Configures a VPN (Virtual Private Network) on Android Enterprise devices.

Bookmark

Configures the bookmark settings, such as the configuration ID and installation area.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

System

Policy Description Supported system
User Certificate Settings Allows the setting of user certificates. DO/PO — Android 4.3 or higher
Camera Allows using the camera.
NOTE — If the device is activated as a Work Profile, the camera function only in the Work Profile is controlled.

DO — Android 4.0 or higher, Samsung Knox 1.0 or higher

PO — Android 5.0 or higher

Screen capture

Allows screen captures.

NOTE — Starting with Android 12, system apps built with certain API permissions can capture the screen even if the device has screen capturing disabled by an EMM. This mostly affects preloaded system apps developed by device manufacturers. If you are unsure whether the preloaded apps on a deployed device have these permissions, you should verify with the device manufacturer.

Android 5+

System update

Allows setting if and how over-the-air (OTA) updates are applied to devices. Choose one of the following setting option:

  • Automatic — Automatically apply updates as soon as they become available.

  • Postpone — Postpone OTA updates for up to 30 days.

  • Windowed — Schedule OTA updates to occur at a specific time within a daily maintenance window. Use 24 hour format for time—[00:00-23:59]

DO — Android 6 or higher
Account Modification

Allows modification—addition or deletion—of the accounts added for each application.

  • Disallow — This policy restricts the addition or deletion of users even if the Add or Delete User policies are allowed.
DO/PO — Android 4.3 or higher
> Account Blocklist

Add a specific account type blocklist that should not be added on the device (Setting > Accounts and backup > Accounts).

Specify the correct account name to block. For instance, enter com.google.android.gm.pop3 for a Gmail (pop3) account.

NOTE — Here are the account names of the applications that are mainly used:
Application Package name Account name
Google Play Service com.google.android.gms com.google
Google Play Service com.google.android.gms com.google.android.gms.matchstick
Gmail com.google.android.gm com.google.android.gm.pop3
Gmail com.google.android.gm com.google.android.gm.exchange
Gmail com.google.android.gm com.google.android.gm.legacyimap
Samsung Experience Service com.samsung.android.mobileservice com.osp.app.signin
Samsung Experience Service com.samsung.android.mobileservice com.samsung.android.coreapps
Samsung Experience Service com.samsung.android.mobileservice com.samsung.android.mobileservice
Duo com.google.android.apps.tachyon com.google.android.apps.tachyon
NAVER com.nhn.android.search com.nhn.android.naveraccount
Facebook com.facebook.katana com.facebook.auth.login
Outlook com.microsoft.office.outlook com.microsoft.office.outlook.USER_ACCOUNT
OneDrive com.microsoft.skydrive com.microsoft.skydrive
DO/PO — Android 5.0
> Allow account in Google Play Specifies which managed and unmanaged accounts on the device can make changes through Google Play. You can select Allow All for all accounts, Allow only MGP Account for just the Managed Google Play (MGP) account, or Allow MGP and Selected Accounts for the MGP account and an allowlist defined by the Account Allowlist policy.

DO — Android 4.3 and higher

> Account Allowlist Specifies an allowlist of accounts on the device that can access Google Play.

DO — Android 4.3 or higher

VPN Setting Allows the user to configure the VPN settings on the device.

DO — Android 5.0 or higher

PO — Android 7.0 or higher

Add User Allows adding the new users on the device. DO — Android 5.0 or higher
Delete User Allows deleting the added users. DO — Android 4.3 or higher
Safe mode Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications. DO — Android 6.0 or higher, Samsung Knox 1.0 or higher
Change wallpaper Allows changing the home and lock screens. DO — Android 7.0 or higher, Samsung Knox 1.0 or higher
External SD card Allows using the external SD card. DO — Android 4.0 or higher, Samsung Knox 1.0 or higher
> Write to external SD card

Allows writing to an external SD card.

NOTE — If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.
DO — Samsung Knox 1.0 or higher
Factory reset Allows a device factory reset. DO — Android 5.0 or higher, Samsung Knox 1.0 or higher
S Beam

Allows using Android Beam which transfers data using NFC.

NOTE — Android 10 (Q) or higher devices are not supported.
DO — Android 5.0 or higher, Samsung Knox 1.0 or higher
Create Window Allows a window to be created and launched at the top when users use a multi-window transformed into a pop-up window or a split screen mode on the device. DO — Android 5.0 or higher
Easter Egg Allows executing the Easter Egg games on devices with specific actions. DO — Android 6.0 or higher
Brightness Setting Allows changing of the screen brightness level. DO — Android 9.0 or higher
AOD Allows the always on display feature that displays brief information on the lock screen, such as notifications or time. DO — Android 9.0 or higher
System Error Screen Allows an error dialog display function when an application shutdowns abnormally. DO — Android 9.0 or higher
If compromised OS is detected

Select a measure to take when a compromised OS is detected.

  • Lock device — Locks the device.
  • Lock Email — Locks email use.
  • Factory reset + Initialize SD card — Simultaneously factory resets the user device and the SD card.
  • Factory reset — Resets the user device but not the SD card.
NOTE — The factory reset (only) function is unsupported in Android 2.0 or lower. To reset the device, select the Factory reset + Initialized SD card option.
DO — Android 1.0 or higher
Set Notifications from an event to On.

Set the device to display a notification when a device control event is applied.

User defined — Users can set event notifications on the device from the Settings menu of the Knox Manage agent.

Show notification — Displays the notification when an event for device control is applied.

Hide notifications — Hides the notification when an event for device control is applied.

DO — Android 1.0 or higher, Samsung Knox 1.0 or higher
Set Notifications from an event to Off.

Set the device to display a notification when an event for device control is disengaged.

  • User Defined — Users can set event notifications on the device from the Settings menu of the Knox Manage agent.
  • Show notification — Displays a notification when an event for device control is disengaged.
  • Hide notifications — Hides a notification when an event for device control is disengaged.
DO — Android 1.0 or higher, Samsung Knox 1.0 or higher
Fix Event Notification

Set the removal of notifications from the device Quick panel.

User Defined — Users can remove notification on the device from the settings menu of Knox Manage agent.

Disallow to Remove Notification — Users cannot remove notifications on the device Quick Panel.

Allow to Remove Notification — Users can remove notifications on the device Quick Panel.

DO — Android 1.0 or higher, Samsung Knox 1.0 or higher
Encryption for storage Specifies the encryption of the device's internal storage or the external SD card. DO — Android 4.1 or higher, Samsung Knox 1.0 or higher
> Storage encryption

Check the check box to select the storage to be encrypted.

NOTE — External SD card encryption is applicable to Samsung Galaxy devices only.
NTP Settings Allows using the NTP (Network Time Protocol) server. Register this server to sync the server time to a device.
> Server address Enter the NTP server address. DO — Samsung Knox 2.5 or higher
> Maximum number of attempts

Set the maximum number of attempts for connecting to the NTP server to retrieve the time information.

The value can be between 0 – 100 attempts.

DO — Samsung Knox 2.5 or higher
> Polling cycles (hr)

Set the cycle to reconnect to the server using NTP.

The value can be between 0 – 8760 hours (8760 hours = 1 year).

DO — Samsung Knox 2.5 or higher
> Short polling cycle (sec)

Set the cycle to re-connect to the NTP server after experiencing a timeout.

The value can be between 0 – 1000 seconds.

DO — Samsung Knox 2.5 or higher
> Timeout (sec)

Set the connection timeout on the NTP server.

The value can be between 0 – 1000 seconds.

DO — Samsung Knox 2.5 or higher
Automatic Date and Time Allows the device user to change the date and time settings. Select Enforce Time Zone to override the time zone and prevent the device user from changing it. DO — Android 5.0 or higher
> Time Zone Specifies the time zone. Only available if the Automatic Date and Time policy is set to Enforce Time Zone. DO — Android 5.0 or higher, Samsung Knox 1.0 or higher
Language Setting Allows the language setting policy. DO — Android 9.0
Location Setting

Allows users to change the Location settings.

  • Disallow — Users cannot change the on/off setting of the device location.
DO — Android 9.0
Backup

Allows backup of the device data.

NOTE — If the backup function can be found on your device at Google > Backup, it may seem possible to turn the backup setting on or off, even if this policy is set to Disallow. However, the functionality of backup is prohibited, regardless of mobile UI, when the Backup policy is set to Disallow.
DO — Android 8.0 or higher
Set a Message for Blocked Settings

Enables a custom message to display when the device user taps or tries to use a disabled setting.

This policy has two sub-policies, one for a short message to display in most screens of the Settings app, and the other for a longer message to display in the device administrators screen of the Settings app.

DO — Android 7.0 or higher
> Short Message Specifies the custom message to display when the device user taps or tries to use a disabled setting on the Settings app. Only available if the Set a Message for Blocked Settings policy is set to Apply. DO — Android 7.0 or higher
> Long Message Specifies the custom message to display when the device user taps or tries to use a disabled setting in the device administrators screen of the Settings app. Only available if the Set a Message for Blocked Settings policy is set to Apply. DO — Android 7.0 or higher
Set a Message for Lock Screen

Enables a custom message on the device's lock screen. You can add lookup items to the message, which substitute for device and user information like username and phone number in the Android environment.

If the message contains only whitespace characters, then no lock message displays, and the user can't change it.

If this policy is unset, the message only contains the user information, if it's available.

DO — Android 8.0 or higher
> Message Specifies the custom message on the lock screen. Enter the message in the text field. Click Lookup to browse and select available lookup items to add to the message. DO — Android 8.0 or higher

Interface

Policy Description Supported system
Printing Allows the printing function. DO/PO — Android 9.0 or higher
Autofill Service Allows auto-completion of information that you enter on websites in the Android browser. DO/PO — Android 8.0 or higher
Network Reset

Allows the network usage rest function on a set date.

NOTE — For Android 7.0 or lower devices, this applies to Samsung devices (Knox1.0+) only.
DO — Android 6.0 or higher
Mobile Network Setting Allows configuring the mobile network settings. DO — Android 5.0 or higher
Allow Wi-Fi Change Allows changing the Wi-Fi Settings. DO — Android 4.3 or higher
Wi-Fi

Allow using Wi-Fi. If the Wi-Fi policy was not applied successfully, the device tries to apply it again 30 minutes after Knox Manage is activated.

  • Allow — Allows using Wi-Fi
  • Disable On — Disallows turning Wi-Fi on. It is turned off at all times.
  • Disable Off — Disallows turning Wi-Fi off. It is turned on at all times.
DO — Android 1.0 or higher, Samsung Knox 1.0 or higher
> Wi-Fi Direct

Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.

NOTE
  • Set the Wi-Fi policy to Allow or Disable Off before using this policy.
  • The direct connection of the two devices may cause the device function or the menu to be controlled, depending on the device type.
DO — Samsung Knox 1.0 or higher
Tethering Setting Allows tethering Settings. DO — Android 5.0 or higher
Bluetooth

Allows using Bluetooth.

  • Allow — Allows turning Bluetooth on.
  • Disable On — Disallows turning Bluetooth on.
DO — Android 8.0 or higher, Samsung Knox 1.0 or higher
> Desktop PC connection Allows PC connection with the user's device using Bluetooth. DO — Samsung Knox 1.0 or higher
> Data transfer Allows data exchanges with other devices using Bluetooth connection. DO — Samsung Knox 1.0 or higher
> Search mode Allows device search mode. DO — Samsung Knox 1.0 or higher
Bluetooth Setting Specifies the controls for the Bluetooth use. DO — Android 4.3 or higher
Bluetooth Share Allows Bluetooth sharing. DO — Android 8.0 or higher
PC connection Allows connecting user's device to PC. DO — Android 4.3 or higher, Samsung Knox 1.0 or higher

Security

Policy Description Supported system
SafetyNet Attestation Allows the use of SafetyNet attestation to validate the integrity of the device. DO/PO — Android 6.0 or higher
> Verification Interval (days) Set an interval at which the SafetyNet Attestation API assesses the devices.
> Verification Failure Policy (During Enrollment)

Select a measure.

  • Admin Alert — Sends an alert to the administrator.
  • Unenrollment (Factory Reset) (for DO only)—Unenrolls the device and performs a factory reset.
  • Unenrollment (for PO only)—Unenrolls the device.
> Verification Failure Policy (After Enrollment)

Select a measure.

  • Admin Alert — Sends an alert to the administrator.
  • Lock device (for DO only)—Locks the device.
  • Unenrollment (Factory Reset) (for DO only)—Unenrolls the device and performs a factory reset.
  • Unenrollment (for PO only)—Unenrolls the device.
Maximum screen timeout Set the maximum time limit that a user can linger before screen timeout. DO — Android 2.2 or higher, Samsung Knox 2.0 or higher
Enforce Multi-factor Authentication

Enable multifactor authentication (2FA) that unlocks a device only after two authentication methods are provided, including one biometric input—face, iris, or fingerprint—and one lock screen method, such as PIN, password, or pattern.

NOTE — Incorrect use of this policy together with One Lock and Biometric policy can lock your device.
DO — Samsung Knox 3.0 or higher

Password

Policy Description Supported system
Password

Set the device's lock screen type and minimum quality. Use of the camera is prohibited when the device is locked.

You can set up to two lock screen policy sets:

  • Device Controls — The lock screen settings for the personal area of the device.
  • Work Profile Controls — The lock screen settings for a device's Work Profile. After the Work Profile is set up, the device user is directed to set a lock screen.
IMPORTANT
  • For the Fully Managed type and the Fully Managed with Work Profile type, if the strength of the lock screen is lower than the requirements of the policy, the device is locked through the Lock Task mode. The device user can't use any other functions until they set a lock screen.
  • If the device user creates a lock screen for the Work Profile that does not comply with the password policy's requirements, all apps on the Work Profile—except essential apps like Knox Manage—are suspended. Suspending the apps, as opposed to just hiding them, offers greater security since unauthorized users cannot gain access to any Work Profile data.
  • If the device is using a One Lock password and the policy for the personal area and Work Profile are configured differently, the stronger password policy is applied.
TIP
  • If a user forgets their password and contacts you, you should send the device command to reset the password and guide them to enter the temporary password. For more information about this procedure, see Viewing the device details.
> Minimum Complexity (Android 12 or later)

Set the minimum lock screen complexity.

There are four complexity levels, each pre-defined by the Android API. The device user must use a lock screen that meets or exceeds the minimum level.

Set the minimum complexity level of the lock screen:

  • N/A — No restrictions on the lock screen.
  • Low — A pattern or PIN, with repeating (4444) and ordered (1234, 4321, 2468) sequences allowed.
  • Medium — A PIN without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 4 or more characters.
  • High — A PIN with 8 or more characters, without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 6 or more characters.

Fully Managed — Android 12.0+

Work Profile — Android 12.0+

Personal area — Android 12.0+

> Minimum Strength (Android 11 or earlier)

Set a minimum strength level for the lock screen:

  • Weak Biometric — A biometric recognition method.
  • Pattern — A pattern.
  • Numeric — A PIN.
  • Numeric Complex — A pin with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
  • Alphabetic — A password with letter characters.
  • Alphanumeric — A password with alphanumeric characters.
  • Complex — A password with alphanumeric and special characters.
NOTE — The password strength increases in the following ascending order — Weak Biometric < Pattern < Numeric < Numeric Complex < Alphabetic < Alphanumeric < Complex.

Fully Managed — Android 6-11

Work Profile — Android 6-11

Personal area — Android 7-11

>> Minimum Length

Set the minimum length of the password.

The value can be between 4-16 characters for Numeric or Alphanumeric strength levels.

The value can be between 6-16 characters for the Complex strength level.

>> Minimum Number of Letters

Set the minimum number of letter characters in the password.

The value can be between 1-10 characters.

>> Minimum Number of Non-letters

Set the minimum number of numeric and special characters required in the password.

The value can be between 1-10 characters.

>> Minimum Number of Lowercase Letters

Set the minimum number of lowercase letter characters required in the password.

The value can be between 1-10 characters.

>> Minimum Number of Capital Letters

Set the minimum number of uppercase letter characters required in the password.

The value can be between 1-10 characters.

>> Minimum Number of Numeric Characters

Set the minimum number of numeric characters allowed in the password.

The value can be between 1-10 characters.

>> Minimum Number of Special Characters

Set the minimum number of special characters required in the password.

The value can be between 1-10 characters.

> > Maximum Length of Sequential Numbers

Set the longest string of sequential numbers (1234, 4321, 2468) allowed in the password.

The value can be between 1-10 characters.

Devices secured by Samsung Knox
> > Maximum Length of Sequential Characters

Set the longest string of sequential characters (abcd, dcba, aceg) allowed in the password.

The value can be between 1-10 characters.

Devices secured by Samsung Knox
> Password Lifecycle Settings (Android 6 or later) These settings define rules about how the lock screen changes over time, such as user changes to the lock screen, expiration, and minimum login parameters.

Fully Managed — Android 6+

Work Profile — Android 6+

Personal area — Android 7+

>> Password History (times)

Set the minimum number of new passwords that must be used before a user can reuse a previous password.

For example, if the password is Knox123! and the Password History (times) is 10, the user must use ten other passwords before they can reuse Knox123!.

The value can be between 1-10 times.

>> Expiration After (days)

Set the number of days before the password must be reset.

The value can be between 1-365 days.

>> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before access is restricted.

You can set this only with Numeric, Alphanumeric, or Complex password strength.

The value can be between 0-10 times.

>>> If the maximum failed login attempts are exceeded (Work Profile)

Select an action to perform when the maximum number of failed unlock attempts is reached:

  • Factory Reset or Remove Work Profile — If the device is company-owned, it factory resets. If the device is personally-owned, the Work Profile is removed.
>>> If the maximum failed login attempts are exceeded (Fully Managed, Fully Managed with Work Profile)

Choose an action to perform on a Fully Managed device when the maximum number of failed unlock attempts is reached:

  • Lock device — Locks the device.
  • Factory reset + Initialize SD Card — Factory resets the device and the SD card.
  • Factory reset — Factory resets the device.
>> If Password Compliance is Violated

Choose an action to perform when a password does not comply with requirements:

  • Personal area:
    • Lock Device — The device is locked (Fully Managed devices only).
    • No Action — No action is taken.
  • Work Profile:
    • Suspend Work Apps — Apps in the Work Profile are suspended.
    • Suspend Work and Personal Apps — All apps are suspended (corporate owned with Work Profile devices only).
    • No Action — No action is taken.
> KeyGuard (Block Functions on Lock Screen)

Choose which features and functionality to block when the screen is locked.

Fully Managed devices:

  • Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added.
  • Fingerprint — Blocks screen unlock through fingerprint scanning.
  • Iris — Blocks screen unlock through iris scanning.
  • Face — Blocks screen unlock through face scanning.
  • Camera — Blocks camera control.
  • Previews in Pop-ups (Fully Managed, Fully Managed With Work Profile) — Hides content in app notifications on the lock screen.
  • Notification (Fully Managed, Fully Managed With Work Profile, Work Profile on Company-Owned) — Hides all app notifications on the lock screen.

Devices with a Work Profile:

  • Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added.
  • Previews in pop-ups — Hides content in app notifications on the lock screen.
  • Fingerprint — Blocks screen unlock through fingerprint scanning.
  • Face — Blocks screen unlock through face scanning.

Fully Managed — Android 5+

Work Profile — Android 7+

Personal area — Android 7+

Kiosk

Policy Description Supported system
Setting Plugged in Screen On

Enable this feature to set the device screen on when charging using any of the following options:

> Screen on when Plugged into Charger

Select the option to apply the policy:

  • AC Charger
  • USB Charger
  • Wireless Charger

Multiple selection is possible.

Kiosk app settings

Select a Kiosk feature to use on a device.

Single app — Runs a single application on the device's home screen.

Multi app — Runs multiple applications that are developed using the Kiosk Wizard.

Kiosk Browser — Opens webpages that are specified by the administrator.

NOTE
  • Single App Kiosks are not available with non-Samsung Android Enterprise Fully Managed (DO) devices that are running Android 6.0-8.0.
  • Knox Manage provides Single App Kiosk with Google managed applications for Android Enterprise devices with version 9.0 (Pie) or higher.

DO — Samsung Knox 1.0 or higher

Non-Samsung DO — Android 9.0 or higher

> Set application Click Select, and then choose Public applications (Managed Google Play Store) or Kiosk applications from the Kiosk application list. Alternatively, click Add, and then manually add applications. For more information about adding single applications, see Create a kiosk using the Kiosk Wizard.
> Set application Click Select to select multiple Kiosk applications from the list or click New to create a Multi App Kiosk.
> Set Kiosk Browser When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser is automatically selected.
> Default URL Set the default page URL to call in the Kiosk Browser.
App Auto Update Set the Kiosk Browser to be updated automatically.
> Screen Saver

Use the screen saver for the Multiple App kiosk and the Kiosk Browser. When no user activity is sensed for a certain amount of time set in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files are activated on the device display.

NOTE — The Screen Saver for the Kiosk Browser only runs while the device is charging.
>> Screen Saver Type Select either an image or video type screensaver.
>>> Image

Select image files for the screen saver. You can add up to 10 image files in the PNG, JPG, JPEG, or GIF format (animated files are not supported). Each image file must be less than 5 MB.

  • To upload an image file, click Add and select a file.
  • To delete an image file, click delete next to the name of the uploaded image file.
NOTE — The device control command must be transferred to the device to apply an image file to it.
>>> Video

Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB.

  • To upload a video file, click Add and select a file.
  • To delete a video file, click delete next to the name of the uploaded video file.
NOTE — The device control command must be transferred to the device to apply a video to it.
> Session timeout

Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL:

  • Apply — Enables the session timeout feature for the browser.
>> Time (sec)

Set the session timeout in seconds for the Kiosk Browser.

The value can be between 10 - 3600 secs (default is 1800).

> Text Copy Allow the copying of text strings in the Kiosk Browser.
> Javascript Allow the running of the JavaScript contained in websites.
> Http Proxy Allow the use of an HTTP proxy for communications in the Kiosk Browser.
>> IP/Domain:Port Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.
> User agent settings key value

Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header.

NOTE — User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.
> File Upload

Allows the user to upload files to websites through the Kiosk Browser.

Disallow is the default value.

Delete Kiosk app when policy is removed Allows to delete applications along with policies from a device when the applied policy is deleted.

DO — Samsung Knox 1.0

Non-Samsung DO — Android 9.0

Prohibit hardware key Allows the use of the hardware keys.
> Disallow hardware keys

Select hardware keys to disable. The availability of Hardware keys can vary by device

If you do not allow the use of the Task Manager, then it does not run, even if the user taps the left menu key in the Navigation bar at the bottom of the device.

DO — Samsung Knox 1.0 or higher
Utilities setting Allows the use of specific features on Kiosk mode devices. DO — Android 9.0
> Power Allows the use of the Power button to turn off or restart the device.
> Recent apps Allows the use of the Recent task button. The Home button also needs to be allowed to use the Recent task button.
> System status bar

Allows the use of the system status bar, which displays the time, network connectivity, and battery status.

NOTE — For Android P or higher devices, you must allow the notification bar as well to enable the system status bar.
> Notification bar Allows the access to the notification bar. If this policy is set to Allow, the Home policy is allowed automatically.
> Home Allows the use of the Home button on the device.
> Key guard Allows the screen lock policy to be applied to the device. If it is set to Disallow, users can access the Kiosk device without a screen lock password, regardless of the screen lock policy of the device.

Application

Policy Description Supported system
Installation of application from untrusted sources Allows the installation of applications from untrusted sources instead of just the Google Play Store.

DO — Android 4.3 or higher

PO — Android 5.0 or higher

Skip App Tutorial Allows the users to skip application tutorials. DO and PO — Android 1.0 or higher
App Control

Allows application control from the settings application.

The following actions can be configured:

  • Delete / Execute / Prevention / CACHE Removal / Data Removal / Focused Exit / Default App Removal.
DO — Android 5.0 or higher
App Installation Allows application installation.

DO — Android 4.3 or higher

PO — Android 5.0 or higher

App Uninstallation Allows application uninstallation.

DO — Android 4.3 or higher

PO — Android 5.0 or higher

App Verification Allows application verification using Google for all device applications.

DO — Android 5.0 or higher

PO — Android 5.0 - 7.1

App Permission

Allows application runtime permission settings for all areas.

  • Prompt — Prompts users to grant or deny permissions.
  • Grant — Grants all relevant permissions.
  • Deny — Denies all relevant permissions.
NOTE — This policy applies to all applications.
DO/PO — Android 6.0 or higher
> App permission exception policy list

Add individual application. Set different permission policies for each application.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
NOTE
DO/PO — Android 6.0 or higher
App Execution Blocklist Setting Set to prevent the execution of the device applications.
> App execution blocklist

Add applications to prevent their execution. Icon of the blocked application disappears and users cannot run the application.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
NOTE — An application that has been added on the Application installation allowlist policy cannot be added.
DO/PO — Android 5.0 or higher
Application uninstallation prevention list Setting Set to prevent the uninstallation of the device application.
> Application uninstallation prevention list

Add applications to prevent their uninstallation.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
DO/PO — Android 5.0 or higher
System App Activation Setting

Set to activate hidden system applications for Android Enterprise devices to view. If a device is activated with Android Enterprise, only designated applications appear on the device.

NOTE — Applications cannot be activated if they are listed under the Application installation block list.
> System App Activation

Add system applications to be activated.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
DO/PO — Android 5.0 or higher
Settings for allowlisting apps allowing external SD card Allows the use of an external SD card. The external SD card cannot be used by default.
> Allowlisted apps for external SD card

Add applications that can use an external SD card.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
App Download Block/ Allowlist Setting

Configure allowlist and blocklist policies to restrict the use of personal Google Play accounts and installation of personal apps on devices.

IMPORTANT — These policies apply to apps downloaded from managed Google Play only, apps that are already installed or are directly installed using APKs are not impacted. For already installed apps, use the previously set up app blocklist and allowlist policy.
> App Download Blocklist Add apps to the blocklist, restricting users from downloading or installing these apps to the target devices. To add apps to the blocklist:
  • Single app — In the App Download Block/Allowlist Setting list > select App Download Blocklist > click Add > click to select the check box for the appropriate app, and then click OK.
  • All apps — In the App Download Block/Allowlist Setting list, select App Download Blocklist > click Add all.
> App Download Allowlist Add apps to the allowlist which lets users download and install these apps to the target devices. To add apps to the allowlist:
  • In the App Download Block/Allowlist Setting list > select App Download Allowlist > click Add > click to select the check box for the appropriate app, and then click Add.

Location

Policy Description Supported system
GPS

Configure to force quit the GPS feature of device. Users can freely change this feature setting on the device if the Location Setting policy is set to Allow.

  • Disable On — Disables the GPS feature on the device.

DO — Android 4.3 or higher, Samsung Knox 1.0 or higher

PO — Android 4.3 or higher

Report device location

Allows collecting location data.

NOTE — For Note 8 devices running the N OS, the Geofencing area radius size set in the admin console unit is recognized in miles not meters.
  • User consent — Allows location data collection only with the user's consent.
NOTE — If the Fully Managed with Work Profile type is used, location data from devices is collected based on the Report Device Location value, which is specified in the Fully Managed Device policy.

DO — Android 2.3 or higher, Samsung Knox 1.0 or higher

PO — Android 5.0 or higher

> Report device location interval

Set an interval period to save the location data of the device.

NOTE — To set the collection interval, select either Allow or User consent for the Report device location policy.

DO — Android 2.3 or higher, Samsung Knox 1.0 or higher

PO — Android 5.0 or higher

High Accuracy Mode Set to use for collecting accurate GPS locations of the devices.

DO — Android 2.3 or higher, Samsung Knox 1.0 or higher

PO — Android 5.0 or higher

Phone

Policy Description Supported system
Airplane mode Allows the use of airplane mode. DO — Android 9.0 or higher, Samsung Knox 2.0 or higher
Cell Broadcast Setting

Allows the use of emergency broadcast settings.

The carrier can send a same message, such as an emergency alert, to the devices connected to the same cellular base station.

DO — Android 5.0 or higher
Volume Adjustment Allows adjusting the volume. DO — Android 5.0 or higher
Microphone Allows the use of the microphone.

DO — Android 5.0 or higher, Samsung Knox 1.0 or higher

PO — Samsung Knox 1.0 or higher

> Recording Allows recording with the microphone. DO/PO — Samsung Knox 1.0 or higher
> S Voice Allows the use of S Voice. DO — Samsung Knox 1.0 or higher
Voice Call (except Samsung Device)

Allows the use of voice calls.

NOTE — To control Samsung devices, use the Prohibit voice Call policy.
DO — Android 5.0 or higher
SMS (except Samsung Device) Allows the use of text messages. DO — Android 5.0 or higher
Data connection during roaming Allows a data connection while using roaming service. DO — Android 7.0 or higher, Samsung Knox 1.0 or higher

Container

Policy Description Supported system
Copy and Paste Clipboard per Profile Allows copying and pasting with the clipboard between the personal and work areas. PO — Android 5.0 or higher
Bluetooth Share Allows sharing using Bluetooth with other devices. PO — Android 8.0 or higher
Phone Book Access Profile (PBAP) via Bluetooth

Allows sharing contacts from the Profile Owner to the connected device using Bluetooth.

NOTE — Before you use this policy, set the Bluetooth share policy to Allow.
PO — Android 6.0 or higher
Set a Message for Profile Wipe Allows IT admins to set a custom message to warn the user when the data on the Work profile is being wiped.
Set a Maximum Period for Profile Turned off

Allows IT admins to specify a time period for which the device users are allowed to turn off Work profiles on their WP-C devices. The following two options are available:

  • Days (between 3 to 30 days)
  • Hours (between 72 and 720 hours)

Users of WP-C devices are allowed to turn off the Work profile on their devices. If the device user does not restart the Work profile, all Personal apps—outside of emergency calls and a few other important apps—are suspended. The device users see a notification on their device alerting them as to the reason for suspension of personal apps.

Factory Reset Protection

You can set up a factory reset protection policy for Android Enterprise devices. This policy allows you to prevent the unauthorized use of an organization's devices using a special validation method for unlocking them after a factory reset.

NOTE — Currently, this policy is only supported in Fully Managed and Work profile on company-owned Devices. This policy is not supported for Work Profile on personally-owned devices.
Policy Description Supported system
Factory Reset Protection

Allows enabling Factory Reset Protection, also known as FRP.

To enable Factory Reset Protection, complete the following steps:

  1. Select Allow from the drop-down list. The screen refreshes to show further information about the FRP.
  2. Click Go to Google API Webpage to generate user ID.
  3. Sign in with your Google account.
    NOTE — You can use an existing Google account or create one specifically for use with factory reset protection. Note that this account is used to validate device users. Do not use the Android Enterprise account.
  4. Enter the following input values on the right side of API page.
    • resourceName — people/me
    • personalFields — metadata
  5. Click Execute.
  6. The screen refreshes to show a confirmation message in a green box. From the confirmation message, copy the value of the ID field, and then go back to the Knox Manage admin portal > Android Enterprise policy > Factory reset protection > paste the copied ID value in the Google User ID field.
  7. Enter the same account ID to the Google Account ID field you used to sign in to the Google API page in step 3, and click add to save it.

Secure Browser

Secure Browser is a web browser that you can configure to be highly secure. It is available to users who have a Knox Suite license. If you enable Secure Browser on a device, the KM Secure Browser app is silently installed right after the Knox Manage agent is enrolled, as shown in this image.

Policy Description Supported system
Secure Browser App

Configure whether to enable the Secure Browser app.

  • Use — Enable the app to be used. Select this for more secure browsing.
  • - — Disable the app from being used. Select this if the enterprise has another preferred browser.
Homepage URL Set the default web page displayed by the browser or tab when first launched, or when the browser home icon is tapped. The user cannot override this default home page through the browser settings.
App Auto Update Set the Secure Browser to be updated automatically.
Hide URL

Configure whether to hide the URL address bar.

  • Use — Hide the URL address bar. This prevents access to websites other than the default Homepage URL, and blocks file downloads automatically.
  • Do Not Use — Display the URL address bar.
  • - — Do not make this a configurable setting.
URL Control Type

Configure whether to allow or block URLs.

  • Allowlist — Allow only the URLs specified in the allowlist. Use this for better browser security.
  • Blocklist — Allow all URLs except those in the blocklist. Use this to offer better browser usability.
  • - — Allow all URLs.
URL Control List

Enter the URLs to allow or block, as specified in URL Control Type.

Use an asterisk as a wildcard to specify URL patterns.

You can use an asterisk in the URL sub-domain (www) and path (after /). Here are valid examples:

  • https://docs.company.com/*
  • https://*.company.com/*

You cannot use an asterisk in the URL schema (http, https) or domain (domain.com). Here are invalid examples:

  • *.company.com/*
  • https://www.*company*.com/*
Link URL to Other Apps

Configure whether to allow URLs that download and launch apps. Secure Browser supports these URL schemes:

  • intent:// - Launches the app package specified in the intent URL.
  • market:// - Downloads the specified app package from Google Play store.

Users can download or run apps directly by tapping these URL schemes on web pages. You can select:

  • Allow — To allow apps to download and launch. Select this for better usability.
  • Disallow — To prevent apps from downloading and launching. Select this if you are concerned about app integrity.
  • - — Allow all app downloads and launches.
Cookies

Configure whether to allow websites to save cookies on the device.

  • Allow — Allow cookies. Select this for better browser usability.
  • Disallow — Do not allow apps to launch. Select this for better security and user privacy.
  • - — Allow all cookies.
File Download

Configure whether to allow users to download files from websites onto the device.

  • Allow — Allow downloads. Select this for better browser usability.
  • Disallow — Do not allow downloads. Select this for better security, to block files like viruses, adware, or spyware. If you select the Hide URL option, file downloads are blocked automatically.
  • - — Allow all downloads.
File Upload

Configure whether to allow users to upload files from their device to a website.

  • Allow — Allow uploads. Select this option for better browser usability.
  • Disallow — Do not allow uploads. Select this option for better security, if you are concerned about confidential assets being shared through the web.
  • - — Allow all downloads.
Text Copy

Configure whether to allow users to copy text displayed on a web page.

  • Allow — Allow copies. Select this for better browser usability.
  • Disallow — Do not allow copies. Select this option for better security, if you are concerned about confidential web info being shared.
  • - — Allow copies.
Screen Capture

Configure whether to allow users to capture an image of a web page.

  • Allow — Allow captures. Select this option for better browser usability.
  • Disallow — Do not allow captures. Select this option for better security, if you are concerned about confidential web info being shared.
  • - — Allow captures.
Bookmark Enter any web pages you want to bookmark by default for easy access in the browser.

Wi-Fi

You can add more Wi-Fi policy sets by clicking add.

Wi-Fi configuration is not applied to the Work Profile area of devices.

  • For devices enrolled as Fully Managed with Work Profile, the Wi-Fi configuration is applied only to the Fully Managed area of the device.
  • For device enrolled as Work Profile, the Wi-Fi configuration is not applied.
Policy Description Supported system
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Network Name (SSID)

Enter an identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Remove available Allows users to delete the Wi-Fi settings.
Hidden Network Allows to hide the network from the list of available networks on the device. The SSID does not broadcast.
Security type Specifies the access protocol used and whether certificates are required.
> WEP Set a WEP KEY index from WEP KEY 1 to 4.
> WPA/WPA2-PSK Enter a password. You can enter up to 100 characters for the password.
> 802.1xEAP

Configure the following items:

  • EAP Method — Select an authentication protocol from between PEAP and TTLS.
  • 2-step authentication — Select one from PAP, MSCHAP, and MSCHAPV2 as a secondary authentication method.
  • User information input method — Select an input method for entering user information.
  1. Manual Input — Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
  2. Connector interworking — Choose a connector from the User information Connector.
  3. User Information — Use the user information registered in Knox Manage to access Wi-Fi.
  • External ID — Assign an external ID for Manual Input.
  • User certificate input method — Select a user certificate confirmation method.
  1. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  2. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services.

    When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  3. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see External certificates.
CA certificate Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root are included on the list.
Proxy configuration Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.
> Manual

Configure the proxy server manually.

  • Proxy host name — Enter the host name of the IP address of the proxy server
  • Proxy port — Enter the port number used by the proxy server
  • Proxy exception — Enter the IP address or domain address that cannot be accessed through the proxy server. If server authentication is required to use the proxy server, check the Server authentication check box.
  • User name — Enter the username for the proxy server.
  • Password — Enter the password for the proxy server.
> PAC automatic configuration

Configure the proxy server automatically.

You should enter the PAC web address, the URL of the PAC file that automatically determines which proxy server to use.

VPN

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking . Only the Pulse Secure VPN type can be configured for Android Enterprise devices.

Policy Description Supported system
Configuration ID Assign a unique ID for the VPN setting.
Description Enter a description for the VPN setting.
VPN type The VPN type is set to Pulse Secure by default and you cannot change it.
Always On VPN Creates a VPN connection when the device starts and maintains it while the device is turned on.
Server URL Enter the URL of the VPN server.
Authentication Type Select an authentication type for the VPN connection between Password, Certificate, and both.
User name

Enter the user ID for the VPN connection.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Password Enter the password for the VPN connection.
Identity Certificate Select a certificate to identify itself to its peer.
Route Type Set to use the VPN settings for the entire device or for selected applications.
> Apps to use VPN Configuration Select applications to allow or disallow from using the VPN. To add an application, click Allowlist Apps or Blocklist Apps, click Add, and then select applications in the "Select Application" window.

Bookmark

For Android Enterprise devices, a shortcut to the bookmarked address of a specific URL is created on the home screen of the device, not in the web browser.

NOTE
  • Only the device user can delete the shortcuts manually.
  • Deleting a bookmark policy from the Knox Manage agent can render different effects based on the OS version. In both cases, manual deletion by the device user is recommended:
    • Android Pie (9.0) — Shortcuts still appear grayed out on the home screen.
    • Android Oreo (8.0) — Shortcuts are not removed.
Policy Description Supported system
Configuration ID Assign a unique ID for each bookmark setting.
Description Enter a description for each bookmark setting.
Installation area

Specifies a location to install the bookmark.

  • Shortcut — Creates a shortcut of the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher.
    1. Android Enterprise devices only support the shortcut type.
    2. Shortcut icons may not be able to be created depending on the type of launcher set by the user.
    3. An administrator cannot delete the shortcut icon, but the user can delete it manually.
Shortcut image Select a shortcut icon to be created on a user device.
Bookmark page URL Enter a website address to go to when a bookmark is selected.
Bookmark name Enter the bookmark name to be displayed as a title in the bookmark.

Certificate

You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. You can add more certificate policy sets by clicking add.

Policy Description Supported system
Configuration ID Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
Install Area Specify where the certificate should be installed.
User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
NOTE — Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
  • When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.

    Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

Certificate Category

Select a certification category when EMM Management Certificate is selected in User certificate input method,

  • CA certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root show on the list.
  • User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User show on the list.
Apps with Delegated Certificate Management Add specific applications, which are installed on the device, to grant silent privileged access using a certificate while running.