Menu

Android Enterprise Policies

This section describes the policies you can configure for Android Enterprise devices.

Knox Manage supports four types of Android Enterprise devices — Fully Managed, Work Profile, Fully Managed with Work Profile, and Work Profile on Company-owned Devices.

NOTE — Until KM 20.11, KM only supported Android Enterprise policies for device management. Starting with KM 21.1, for devices running a Work Profile on a company-owned device, KM now supports Knox policies.
Type Description
Fully Managed Controls the whole device.
Work Profile Controls only designated work areas.
Fully Managed with Work Profile Controls both the personal and work areas and applies different policies to each of them. Android 10 and lower.
Work Profile on company-owned device Controls both the personal and work areas, and applies different policies to each of them. Android 11 and higher.
NOTE — Some policies support only Samsung Galaxy devices.

The availability of each policy varies depending on the enrollment type and the OS version. IT admins can also choose to turn on the Highlight Work Profile on Company-owned Devices Profile Only setting to show the available policies highlighted in blue.

System

Provides backup and restore settings and other features. Updates the operating system on a device.

Policy Description Supported system
User Certificate Settings Allows the setting of user certificates. Android 4.3 and higher
Camera Allows using the camera.
NOTE — If the device is activated as a Work Profile, the camera function only in the Work Profile is controlled.

Fully Managed — Android 4 and higher, Samsung Knox 1.0 and higher

Work Profile — Android 5 and higher

Screen capture

Allows screen captures.

NOTE — Starting with Android 12, system apps built with certain API permissions can capture the screen even if the device has screen capturing disabled by an EMM. This mostly affects preloaded system apps developed by device manufacturers. If you are unsure whether the preloaded apps on a deployed device have these permissions, you should verify with the device manufacturer.

Android 5+

System update

Allows setting if and how over-the-air (OTA) updates are applied to devices. Choose one of the following setting option:

  • Automatic — Automatically apply updates as soon as they become available.

  • Postpone — Postpone OTA updates for up to 30 days.

  • Windowed — Schedule OTA updates to occur at a specific time within a daily maintenance window. Use 24 hour format for time—[00:00-23:59]

Fully Managed — Android 6 and higher
Account Modification

Allows modification—addition or deletion—of the accounts added for each application.

  • Disallow — This policy restricts the addition or deletion of users even if the Add or Delete User policies are allowed.
Android 4.3 and higher
> Account Block/Allowlist

Specifies whether to define an allowlist or blocklist of app and service accounts that the device user can manage. When set, the Account List policy becomes either a blocklist or an allowlist.

CAUTION — If you change the value of this policy when the account list contains values, all values in the account list will be erased.

Only available if the Account Modification policy is set to Allow.

Values

  • Allowlist Setting — The account list is an allowlist.
  • Blocklist Setting — The account list is a blocklist.
Android 5 and higher
Account List

Specify the list of app and service accounts that the device user is allowed or blocked from managing. Accounts are specified as interfaces of Android package names, such as com.google.android.gm.pop3 for the POP3 account of the Gmail app. Managed Google Play accounts can't be modified, so adding them to this list when in allowlist mode has no effect. Only available if the Account Modification policy is set to Allow and the Account Block/Allowlist policy is set.

Values

To add an account, enter it and click add. To remove one, click delete.

Here are the account names of common apps:

App Package name Account name
Google Mobile Services com.google.android.gms com.google
Google Mobile Services com.google.android.gms com.google.android.gms.matchstick
Gmail com.google.android.gm com.google.android.gm.pop3
Gmail com.google.android.gm com.google.android.gm.exchange
Gmail com.google.android.gm com.google.android.gm.legacyimap
Samsung Experience Service com.samsung.android.mobileservice com.osp.app.signin
Samsung Experience Service com.samsung.android.mobileservice com.samsung.android.coreapps
Samsung Experience Service com.samsung.android.mobileservice com.samsung.android.mobileservice
Duo com.google.android.apps.tachyon com.google.android.apps.tachyon
NAVER com.nhn.android.search com.nhn.android.naveraccount
Facebook com.facebook.katana com.facebook.auth.login
Outlook com.microsoft.office.outlook com.microsoft.office.outlook.USER_ACCOUNT
OneDrive com.microsoft.skydrive com.microsoft.skydrive
Android 5 and higher
> Allow account in Google Play Specifies which managed and unmanaged accounts on the device can make changes through Google Play. You can select Allow All for all accounts, Allow only MGP Account for just the Managed Google Play (MGP) account, or Allow MGP and Selected Accounts for the MGP account and an allowlist defined by the Account Allowlist policy.

Fully Managed — Android 4.3 and higher

> Account Allowlist Specifies an allowlist of accounts on the device that can access Google Play.

Fully Managed — Android 4.3 and higher

VPN Setting Allows the user to configure the VPN settings on the device.

Fully Managed — Android 5 and higher

Work Profile — Android 7 and higher

Add User Allows adding the new users on the device. Fully Managed — Android 5 and higher
User Deletion Allows deleting the added users. Fully Managed — Android 4.3 and higher
Safe mode Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications. Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher
Wallpaper Change

Allows both the device user and apps to change the wallpaper.

Values

  • Allow (default) — The wallpaper can be changed.
  • Disallow — The wallpaper can't be changed.
Android 7 and higher
Custom Wallpaper

Applies a custom wallpaper on the device. The device user can override this wallpaper. Only available if the Wallpaper Change policy is unset or set to Allow.

Values

  • Apply — Sets a custom wallpaper on the device.

If this value is unset, no custom wallpaper is applied.

Android 7 and higher
> Wallpaper File

Defines the custom wallpaper. Only available if the Custom Wallpaper policy is set to Apply.

Values

To add an image, click upload.

The image file can be in BMP, GIF, ICO, JPG, JPEG, or PNG format and can't exceed 10 MB in size.

Android 7 and higher
External SD card Allows using the external SD card. Fully Managed — Android 4 and higher, Samsung Knox 1.0 and higher
> Write to external SD card

Allows writing to an external SD card.

NOTE — If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.
Fully Managed — Samsung Knox 1.0 and higher
Factory reset Allows a device factory reset. Fully Managed — Android 5 and higher, Samsung Knox 1.0 and higher
S Beam

Allows using Android Beam which transfers data using NFC.

NOTE — Android 10 and higher devices are not supported.
Fully Managed — Android 5 and higher, Samsung Knox 1.0 and higher
Create Window Allows a window to be created and launched at the top when users use a multi-window transformed into a pop-up window or a split screen mode on the device. Fully Managed — Android 5 and higher
Easter Egg Allows executing the Easter Egg games on devices with specific actions. Fully Managed — Android 6 and higher
Brightness Setting Allows changing of the screen brightness level. Fully Managed — Android 9 and higher
Always on Display Allows the always on display feature that displays brief information on the lock screen, such as notifications or time. Fully Managed — Android 9 and higher
System Error Screen Allows an error dialog display function when an application shutdowns abnormally. Fully Managed — Android 9 and higher
If compromised OS is detected

Select a measure to take when a compromised OS is detected.

  • Lock device — Locks the device.
  • Lock Email — Locks email use.
  • Factory reset + Initialize SD card — Simultaneously factory resets the user device and the SD card.
  • Factory reset — Resets the user device but not the SD card.
NOTE — The factory reset (only) function is unsupported in Android 2 and lower. To reset the device, select the Factory reset + Initialized SD card option.
Fully Managed — Android 1 and higher
Notifications when an Event is Set to On.

Set the device to display a notification when a device control event is applied.

User defined — Users can set event notifications on the device from the Settings menu of the Knox Manage agent.

Show notification — Displays the notification when an event for device control is applied.

Hide notifications — Hides the notification when an event for device control is applied.

Fully Managed — Android 1 and higher, Samsung Knox 1.0 and higher
Notifications when an Event is Set to Off.

Set the device to display a notification when an event for device control is disengaged.

  • User Defined — Users can set event notifications on the device from the Settings menu of the Knox Manage agent.
  • Show notification — Displays a notification when an event for device control is disengaged.
  • Hide notifications — Hides a notification when an event for device control is disengaged.
Fully Managed — Android 1 and higher, Samsung Knox 1.0 and higher
Fix Event Notification

Set the removal of notifications from the device Quick panel.

User Defined — Users can remove notification on the device from the settings menu of Knox Manage agent.

Disallow to Remove Notification — Users cannot remove notifications on the device Quick Panel.

Allow to Remove Notification — Users can remove notifications on the device Quick Panel.

Fully Managed — Android 1 and higher, Samsung Knox 1.0 and higher
Encryption for storage Specifies the encryption of the device's internal storage or the external SD card. Fully Managed — Android 4.1 and higher, Samsung Knox 1.0 and higher
> Storage encryption

Check the check box to select the storage to be encrypted.

NOTE — External SD card encryption is applicable to Samsung Galaxy devices only.
NTP Settings Allows using the NTP (Network Time Protocol) server. Register this server to sync the server time to a device.
> Server address Enter the NTP server address. Fully Managed — Samsung Knox 2.5 and higher
> Maximum number of attempts

Set the maximum number of attempts for connecting to the NTP server to retrieve the time information.

The value can be between 0–100 attempts.

Fully Managed — Samsung Knox 2.5 and higher
> Polling cycles (hr)

Set the cycle to reconnect to the server using NTP.

The value can be between 0–8760 hours (8760 hours = 1 year).

Fully Managed — Samsung Knox 2.5 and higher
> Short polling cycle (sec)

Set the cycle to re-connect to the NTP server after experiencing a timeout.

The value can be between 0–1000 seconds.

Fully Managed — Samsung Knox 2.5 and higher
> Timeout (sec)

Set the connection timeout on the NTP server.

The value can be between 0–1000 seconds.

Fully Managed — Samsung Knox 2.5 and higher
Automatic Date and Time Allows the device user to change the date and time settings. Select Enforce Time Zone to override the time zone and prevent the device user from changing it. Fully Managed — Android 5 and higher
> Time Zone Specifies the time zone. Only available if the Automatic Date and Time policy is set to Enforce Time Zone. Fully Managed — Android 5 and higher, Samsung Knox 1.0 and higher
Language Setting Allows the language setting policy. Fully Managed — Android 9
Location Setting

Allows users to change the Location settings.

  • Disallow — Users cannot change the on/off setting of the device location.
Fully Managed — Android 9
Backup

Allows backup of the device data.

NOTE — If the backup function can be found on your device at Google > Backup, it may seem possible to turn the backup setting on or off, even if this policy is set to Disallow. However, the functionality of backup is prohibited, regardless of mobile UI, when the Backup policy is set to Disallow.
Fully Managed — Android 8 and higher
Set a Message for Blocked Settings

Enables a custom message to display when the device user taps or tries to use a disabled setting.

This policy has two sub-policies, one for a short message to display in most screens of the Settings app, and the other for a longer message to display in the device administrators screen of the Settings app.

Fully Managed — Android 7 and higher
> Short Message Specifies the custom message to display when the device user taps or tries to use a disabled setting on the Settings app. Only available if the Set a Message for Blocked Settings policy is set to Apply. Fully Managed — Android 7 and higher
> Long Message Specifies the custom message to display when the device user taps or tries to use a disabled setting in the device administrators screen of the Settings app. Only available if the Set a Message for Blocked Settings policy is set to Apply. Fully Managed — Android 7 and higher
Set a Message for Lock Screen

Enables a custom message on the device's lock screen. You can add lookup items to the message, which substitute for device and user information like username and phone number in the Android environment.

If the message contains only whitespace characters, then no lock message displays, and the user can't change it.

If this value is unset, the message only contains the user information, if it's available.

Fully Managed — Android 8 and higher
> Message Specifies the custom message on the lock screen. Enter the message in the text field. Click Lookup to browse and select available lookup items to add to the message. Fully Managed — Android 8 and higher

Interface

Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.

Policy Description Supported system
Printing Allows the printing function. Android 9 and higher
Autofill Service Allows auto-completion of information that you enter on websites in the Android browser. Android 8 and higher
Network Reset

Allows the network usage rest function on a set date.

NOTE — For Android 7 and lower devices, this applies to Samsung devices (Knox1.0+) only.
Fully Managed — Android 6 and higher
Mobile Network Setting Allows configuring the mobile network settings. Fully Managed — Android 5 and higher
Wi-Fi Change Allows changing the Wi-Fi Settings. Fully Managed — Android 4.3 and higher
Wi-Fi

Allow using Wi-Fi. If the Wi-Fi policy was not applied successfully, the device tries to apply it again 30 minutes after Knox Manage is activated.

  • Allow — Allows using Wi-Fi
  • Disable On — Disallows turning Wi-Fi on. It is turned off at all times.
  • Disable Off — Disallows turning Wi-Fi off. It is turned on at all times.
Fully Managed — Android 1 and higher, Samsung Knox 1.0 and higher
> Wi-Fi Direct

Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.

NOTE
  • Set the Wi-Fi policy to Allow or Disable Off before using this policy.
  • The direct connection of the two devices may cause the device function or the menu to be controlled, depending on the device type.
Fully Managed — Samsung Knox 1.0 and higher
Tethering Setting Allows tethering Settings. Fully Managed — Android 5 and higher
Bluetooth

Allows using Bluetooth.

  • Allow — Allows turning Bluetooth on.
  • Disable On — Disallows turning Bluetooth on.
Fully Managed — Android 8 and higher, Samsung Knox 1.0 and higher
> Desktop PC connection Allows PC connection with the user's device using Bluetooth. Fully Managed — Samsung Knox 1.0 and higher
> Data transfer Allows data exchanges with other devices using Bluetooth connection. Fully Managed — Samsung Knox 1.0 and higher
> Search mode Allows device search mode. Fully Managed — Samsung Knox 1.0 and higher
Bluetooth Setting Specifies the controls for the Bluetooth use. Fully Managed — Android 4.3 and higher
Bluetooth Share Allows Bluetooth sharing. Fully Managed — Android 8 and higher
PC connection Allows connecting user's device to PC. Fully Managed — Android 4.3 and higher, Samsung Knox 1.0 and higher

Security

Configures the security settings, such as SafetyNet attestation, Multifactor authentication, and screen timeout.

Policy Description Supported system
SafetyNet Attestation Allows the use of SafetyNet attestation to validate the integrity of the device. Android 6 and higher
> Verification Interval (days) Set an interval at which the SafetyNet Attestation API assesses the devices.
> Verification Failure Policy (During Enrollment)

Select a measure.

  • Admin Alert — Sends an alert to the administrator.
  • Unenrollment (Factory Reset) (for DO only)—Unenrolls the device and performs a factory reset.
  • Unenrollment (for PO only)—Unenrolls the device.
> Verification Failure Policy (After Enrollment)

Select a measure.

  • Admin Alert — Sends an alert to the administrator.
  • Lock device (for DO only)—Locks the device.
  • Unenrollment (Factory Reset) (for DO only)—Unenrolls the device and performs a factory reset.
  • Unenrollment (for PO only)—Unenrolls the device.
Maximum screen timeout Set the maximum time limit that a user can linger before screen timeout. Fully Managed — Android 2.2 and higher, Samsung Knox 2.0 and higher
Enforce Multi-factor Authentication

Enable multifactor authentication (2FA) that unlocks a device only after two authentication methods are provided, including one biometric input—face, iris, or fingerprint—and one lock screen method, such as PIN, password, or pattern.

NOTE — Incorrect use of this policy together with One Lock and Biometric policy can lock your device.
Fully Managed — Samsung Knox 3.0 and higher

Password

Configures password and device lock screen settings.

Policy Description Supported system
Password

Set the device's lock screen type and minimum quality. Use of the camera is prohibited when the device is locked.

You can set up to two lock screen policy sets:

  • Device Controls — The lock screen settings for the personal area of the device.
  • Work Profile Controls — The lock screen settings for a device's Work Profile. After the Work Profile is set up, the device user is directed to set a lock screen.
IMPORTANT
  • For the Fully Managed type and the Fully Managed with Work Profile type, if the strength of the lock screen is lower than the requirements of the policy, the device is locked through the Lock Task mode. The device user can't use any other functions until they set a lock screen.
  • If the device user creates a lock screen for the Work Profile that does not comply with the password policy's requirements, all apps on the Work Profile—except essential apps like Knox Manage—are suspended. Suspending the apps, as opposed to just hiding them, offers greater security since unauthorized users cannot gain access to any Work Profile data.
  • If the device is using a One Lock password and the policy for the personal area and Work Profile are configured differently, the stronger password policy is applied.
  • During enrollment of company-owned devices with a Work Profile, the KM agent prompts the device user to set locks for the personal profile and Work Profile. If the device is rebooted before the locks are set, Managed Google Play functionality might be inhibited or the device might become bricked. For more details and remedies, see How to enforce a password policy during enrollment for company-owned devices with a Work Profile.
TIP
  • If a user forgets their password and contacts you, you should send the device command to reset the password and guide them to enter the temporary password. For more information about this procedure, see Viewing the device details.
> Minimum Complexity (Android 12 or later)

Set the minimum lock screen complexity.

There are four complexity levels, each pre-defined by the Android API. The device user must use a lock screen that meets or exceeds the minimum level.

Set the minimum complexity level of the lock screen:

  • N/A — No restrictions on the lock screen.
  • Low — A pattern or PIN, with repeating (4444) and ordered (1234, 4321, 2468) sequences allowed.
  • Medium — A PIN without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 4 or more characters.
  • High — A PIN with 8 or more characters, without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 6 or more characters.

Fully Managed — Android 12.0+

Work Profile — Android 12.0+

Personal area — Android 12.0+

> Minimum Strength (Android 11 or earlier)

Set a minimum strength level for the lock screen:

  • Weak Biometric — A biometric recognition method.
  • Pattern — A pattern.
  • Numeric — A PIN.
  • Numeric Complex — A pin with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
  • Alphabetic — A password with letter characters.
  • Alphanumeric — A password with alphanumeric characters.
  • Complex — A password with alphanumeric and special characters.
NOTE — The password strength increases in the following ascending order — Weak Biometric < Pattern < Numeric < Numeric Complex < Alphabetic < Alphanumeric < Complex.

Fully Managed — Android 6-11

Work Profile — Android 6-11

Personal area — Android 7-11

>> Minimum Length

Set the minimum length of the password.

The value can be between 4-16 characters for Numeric or Alphanumeric strength levels.

The value can be between 6-16 characters for the Complex strength level.

>> Minimum Number of Letters

Set the minimum number of letter characters in the password.

The value can be between 1-10 characters.

>> Minimum Number of Non-letters

Set the minimum number of numeric and special characters required in the password.

The value can be between 1-10 characters.

>> Minimum Number of Lowercase Letters

Set the minimum number of lowercase letter characters required in the password.

The value can be between 1-10 characters.

>> Minimum Number of Capital Letters

Set the minimum number of uppercase letter characters required in the password.

The value can be between 1-10 characters.

>> Minimum Number of Numeric Characters

Set the minimum number of numeric characters allowed in the password.

The value can be between 1-10 characters.

>> Minimum Number of Special Characters

Set the minimum number of special characters required in the password.

The value can be between 1-10 characters.

> > Maximum Length of Sequential Numbers

Set the longest string of sequential numbers (1234, 4321, 2468) allowed in the password.

The value can be between 1-10 characters.

Devices secured by Samsung Knox
> > Maximum Length of Sequential Characters

Set the longest string of sequential characters (abcd, dcba, aceg) allowed in the password.

The value can be between 1-10 characters.

Devices secured by Samsung Knox
> Password Lifecycle Settings (Android 6 or later) These settings define rules about how the lock screen changes over time, such as user changes to the lock screen, expiration, and minimum login parameters.

Fully Managed — Android 6+

Work Profile — Android 6+

Personal area — Android 7+

>> Password History (times)

Set the minimum number of new passwords that must be used before a user can reuse a previous password.

For example, if the password is Knox123! and the Password History (times) is 10, the user must use ten other passwords before they can reuse Knox123!.

The value can be between 1-10 times.

>> Expiration After (days)

Set the number of days before the password must be reset.

The value can be between 1-365 days.

>> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before access is restricted.

You can set this only with Numeric, Alphanumeric, or Complex password strength.

The value can be between 0-10 times.

>>> If the Maximum Failed Login Attempts Are Exceeded

Choose an action to perform on a Fully Managed device when the maximum number of failed unlock attempts is reached:

  • Lock device — Locks the device.
  • Factory reset + Initialize SD Card — Factory resets the device and the SD card.
  • Factory reset — Factory resets the device.
Fully Managed — Android 6 and higher
>>> If the Maximum Failed Login Attempts Are Exceeded

Select an action to perform when the maximum number of failed unlock attempts is reached:

  • Factory Reset or Remove Work Profile — If the device is company-owned, it factory resets. If the device is personally-owned, the Work Profile is removed.

Work Profile — Android 6 and higher

Company-owned — Android 7 and higher

>> If Password Compliance is Violated

Choose an action to perform when a password does not comply with requirements:

  • Personal area:
    • Lock Device — The device is locked (Fully Managed devices only).
    • No Action — No action is taken.
  • Work Profile:
    • Suspend Work Apps — Apps in the Work Profile are suspended.
    • Suspend Work and Personal Apps — All apps are suspended (corporate owned with Work Profile devices only).
    • No Action — No action is taken.
> KeyGuard (Block Functions on Lock Screen)

Choose which features and functionality to block when the screen is locked.

Fully Managed devices:

  • Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added.
  • Fingerprint — Blocks screen unlock through fingerprint scanning.
  • Iris — Blocks screen unlock through iris scanning.
  • Face — Blocks screen unlock through face scanning.
  • Camera — Blocks camera control.
  • Previews in Pop-ups (Fully Managed, Fully Managed With Work Profile) — Hides content in app notifications on the lock screen.
  • Notification (Fully Managed, Fully Managed With Work Profile, Work Profile on Company-Owned) — Hides all app notifications on the lock screen.

Devices with a Work Profile:

  • Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added.
  • Previews in pop-ups — Hides content in app notifications on the lock screen.
  • Fingerprint — Blocks screen unlock through fingerprint scanning.
  • Face — Blocks screen unlock through face scanning.

Fully Managed — Android 5+

Work Profile — Android 7+

Personal area — Android 7+

Kiosk

Configures Kiosk applications on a Kiosk device and controls the device settings.

Policy Description Supported system
Screen on when Plugged in

Enable this feature to set the device screen on when charging using any of the following options:

> Screen on when Plugged into Charger

Select the option to apply the policy:

  • AC Charger
  • USB Charger
  • Wireless Charger

Multiple selection is possible.

Kiosk app settings

Select a Kiosk feature to use on a device.

Single app — Runs a single application on the device's home screen.

Multi app — Runs multiple applications that are developed using the Kiosk Wizard.

Kiosk Browser — Opens webpages that are specified by the administrator.

NOTE
  • Single App Kiosks are not available with non-Samsung Android Enterprise Fully Managed (DO) devices that are running Android 6-8.0.
  • Knox Manage provides Single App Kiosk with Google managed applications for Android Enterprise devices with version 9.0 (Pie) and higher.

Fully Managed — Samsung Knox 1.0 and higher

Non-Samsung Fully Managed — Android 9 and higher

> Set application Click Select, and then choose Public applications (Managed Google Play Store) or Kiosk applications from the Kiosk application list. Alternatively, click Add, and then manually add applications. For more information about adding single applications, see Create a kiosk using the Kiosk Wizard.
> Set application Click Select to select multiple Kiosk applications from the list or click New to create a Multi App Kiosk.
> Set Kiosk Browser When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser is automatically selected.
> Default URL Set the default page URL to call in the Kiosk Browser.
App Auto Update Set the Kiosk Browser to be updated automatically.
> Screen Saver

Use the screen saver for the Multiple App kiosk and the Kiosk Browser. When no user activity is sensed for a certain amount of time set in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files are activated on the device display.

NOTE — The Screen Saver for the Kiosk Browser only runs while the device is charging.
>> Screen Saver Type Select either an image or video type screensaver.
>>> Image

Select image files for the screen saver. You can add up to 10 image files in the PNG, JPG, JPEG, or GIF format (animated files are not supported). Each image file must be less than 5 MB.

  • To upload an image file, click Add and select a file.
  • To delete an image file, click delete next to the name of the uploaded image file.
NOTE — The device control command must be transferred to the device to apply an image file to it.
>>> Video

Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB.

  • To upload a video file, click Add and select a file.
  • To delete a video file, click delete next to the name of the uploaded video file.
NOTE — The device control command must be transferred to the device to apply a video to it.
> Session timeout

Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL:

  • Apply — Enables the session timeout feature for the browser.
>> Time (sec)

Set the session timeout in seconds for the Kiosk Browser.

The value can be between 10 - 3600 secs (default is 1800).

> Text Copy Allow the copying of text strings in the Kiosk Browser.
> Javascript Allow the running of the JavaScript contained in websites.
> Http Proxy Allow the use of an HTTP proxy for communications in the Kiosk Browser.
>> IP/Domain:Port Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.
> User agent settings key value

Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header.

NOTE — User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.
> File Upload

Allows the user to upload files to websites through the Kiosk Browser.

Disallow is the default value.

Delete Kiosk app when policy is removed Allows to delete applications along with policies from a device when the applied policy is deleted.

Fully Managed — Samsung Knox 1.0

Non-Samsung Fully Managed — Android 9

Prohibit hardware key Allows the use of the hardware keys.
> Disallow hardware keys

Select hardware keys to disable. The availability of Hardware keys can vary by device

If you do not allow the use of the Task Manager, then it does not run, even if the user taps the left menu key in the Navigation bar at the bottom of the device.

Fully Managed — Samsung Knox 1.0 and higher
Utilities setting Allows the use of specific features on Kiosk mode devices. Fully Managed — Android 9
> Power Allows the use of the Power button to turn off or restart the device.
> Recent apps Allows the use of the Recent task button. The Home button also needs to be allowed to use the Recent task button.
> System status bar

Allows the use of the system status bar, which displays the time, network connectivity, and battery status.

NOTE — For Android P and higher devices, you must allow the notification bar as well to enable the system status bar.
> Notification bar Allows the access to the notification bar. If this policy is set to Allow, the Home policy is allowed automatically.
> Home Allows the use of the Home button on the device.
> Key guard Allows the screen lock policy to be applied to the device. If it is set to Disallow, users can access the Kiosk device without a screen lock password, regardless of the screen lock policy of the device.

Application

Configures options for application controls such as installation, verification, and permission.

Policy Description Supported system
Installation of App from Untrusted Sources Allows the installation of apps from untrusted sources instead of just the Google Play Store.

Fully Managed — Android 4.3 and higher

Work Profile — Android 5 and higher

Skip App Tutorial Allows the users to skip application tutorials. DO and PO — Android 1 and higher
App Control

Allows application control from the settings application.

The following actions can be configured:

  • Delete / Execute / Prevention / CACHE Removal / Data Removal / Focused Exit / Default App Removal.
Fully Managed — Android 5 and higher
App Installation Allows application installation.

Fully Managed — Android 4.3 and higher

Work Profile — Android 5 and higher

App Uninstallation Allows application uninstallation.

Fully Managed — Android 4.3 and higher

Work Profile — Android 5 and higher

App Verification Allows application verification using Google for all device applications.

Fully Managed — Android 5 and higher

Work Profile — Android 5 - 7.1

App Permission

Allows application runtime permission settings for all areas.

  • Prompt — Prompts users to grant or deny permissions.
  • Grant — Grants all relevant permissions.
  • Deny — Denies all relevant permissions.
NOTE — This policy applies to all applications.
Android 6 and higher
> App permission exception policy list

Add individual application. Set different permission policies for each application.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
NOTE
Android 6 and higher
App Execution Blocklist Setting Set to prevent the execution of the device applications.
> App execution blocklist

Add applications to prevent their execution. Icon of the blocked application disappears and users cannot run the application.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
NOTE — An application that has been added on the App download allowlist policy cannot be added.
Android 5 and higher
App uninstallation prevention list Setting Set to prevent the uninstallation of the device application.
> Application uninstallation prevention list

Add applications to prevent their uninstallation.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
Android 5 and higher
System App Activation Setting

Set to activate hidden system applications for Android Enterprise devices to view. If a device is activated with Android Enterprise, only designated applications appear on the device.

NOTE — Applications cannot be activated if they are listed under the Application installation block list.
> System App Activation

Add system applications to be activated.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
Android 5 and higher
App Delegation Scope Management

Enables delegated scopes for apps, which is a device policy controller function that grants elevated API and policy control to an app. An app with delegated scopes can dictate policies and configuration settings to other apps.

Values

  • Allow — Enables delegation scopes.

If this value is unset, then delegation scopes are disabled.

Android 8 and higher
> App Delegation Scope

Configures delegated scopes for apps. Each configuration targets an app with a profile in the KM tenant and assigns scopes to it. You can only manage one delegation configuration per app. Only available if the App Delegation Scope Management policy is set to Apply.

Values

To assign delegated scopes to an app:

  1. Click Select, then choose an app from the list in the Select Application window.
  2. Select scopes to assign to the app from the Delegation Scopes list.
  3. Click add to add the configuration.

The available scopes are:

  • Certificate installation and management
  • Managed configurations management
  • Blocking uninstallation
  • Permission policy and permission grant state
  • Package access state
  • Enabling system apps

To remove the delegated scopes for an app:

  • Click delete next to the configuration.
Android 8 and higher
Allowlisting Apps Allowing External SD Card Setting Allows the use of an external SD card. The external SD card cannot be used by default.
> Allowlisted apps for external SD card

Add applications that can use an external SD card.

  • To add an application, click Add, and then select applications in the "Select Application" window.
  • To delete an application, click delete next to the added application.
App Download Block/ Allowlist Setting

Configure allowlist and blocklist policies to restrict the use of personal Google Play accounts and installation of personal apps on devices.

IMPORTANT — These policies apply to apps downloaded from managed Google Play only, apps that are already installed or are directly installed using APKs are not impacted. For already installed apps, use the previously set up app blocklist and allowlist policy.
> App Download Blocklist Add apps to the blocklist, restricting users from downloading or installing these apps to the target devices. To add apps to the blocklist:
  • Single app — In the App Download Block/Allowlist Setting list > select App Download Blocklist > click Add > click to select the check box for the appropriate app, and then click OK.
  • All apps — In the App Download Block/Allowlist Setting list, select App Download Blocklist > click Add all.
> App Download Allowlist Add apps to the allowlist which lets users download and install these apps to the target devices. To add apps to the allowlist:
  • In the App Download Block/Allowlist Setting list > select App Download Allowlist > click Add > click to select the check box for the appropriate app, and then click Add.

Location

Allows the use of GPS or location data collection from a device.

Policy Description Supported system
GPS

Configure to force quit the GPS feature of device. Users can freely change this feature setting on the device if the Location Setting policy is set to Allow.

  • Disable On — Disables the GPS feature on the device.

Fully Managed — Android 4.3 and higher, Samsung Knox 1.0 and higher

Work Profile — Android 4.3 and higher

Report device location

Allows collecting location data.

NOTE — For Note 8 devices running the N OS, the Geofencing area radius size set in the admin console unit is recognized in miles not meters.
  • User consent — Allows location data collection only with the user's consent.
NOTE — If the Fully Managed with Work Profile type is used, location data from devices is collected based on the Report Device Location value, which is specified in the Fully Managed Device policy.

Fully Managed — Android 2.3 and higher, Samsung Knox 1.0 and higher

Work Profile — Android 5 and higher

> Report device location interval

Set an interval period to save the location data of the device.

NOTE — To set the collection interval, select either Allow or User consent for the Report device location policy.

Fully Managed — Android 2.3 and higher, Samsung Knox 1.0 and higher

Work Profile — Android 5 and higher

High Accuracy Mode Set to use for collecting accurate GPS locations of the devices.

Fully Managed — Android 2.3 and higher, Samsung Knox 1.0 and higher

Work Profile — Android 5 and higher

Phone

Configures the phone settings, such as airplane mode, the microphone settings, and the cellular network settings.

Policy Description Supported system
Airplane mode Allows the use of airplane mode. Fully Managed — Android 9 and higher, Samsung Knox 2.0 and higher
Cell Broadcast Setting

Allows the use of emergency broadcast settings.

The carrier can send a same message, such as an emergency alert, to the devices connected to the same cellular base station.

Fully Managed — Android 5 and higher
Volume Adjustment Allows adjusting the volume. Fully Managed — Android 5 and higher
Microphone Allows the use of the microphone.

Fully Managed — Android 5 and higher, Samsung Knox 1.0 and higher

Work Profile — Samsung Knox 1.0 and higher

> Recording Allows recording with the microphone. Samsung Knox 1.0 and higher
> S Voice Allows the use of S Voice. Fully Managed — Samsung Knox 1.0 and higher
Voice Call (except Samsung Device)

Allows the use of voice calls.

NOTE — To control Samsung devices, use the Prohibit voice Call policy.
Fully Managed — Android 5 and higher
SMS (except Samsung Device) Allows the use of text messages. Fully Managed — Android 5 and higher
Data connection during roaming Allows a data connection while using roaming service. Fully Managed — Android 7 and higher, Samsung Knox 1.0 and higher

Container

Allows data transfers within the Work Profile or with other devices.

Policy Description Supported system
Copy and Paste Clipboard per Profile Allows copying and pasting with the clipboard between the personal and work areas. PO — Android 5 and higher
Bluetooth Share Allows sharing using Bluetooth with other devices. PO — Android 8 and higher
Phone Book Access Profile (PBAP) via Bluetooth

Allows sharing contacts from the Profile Owner to the connected device using Bluetooth.

NOTE — Before you use this policy, set the Bluetooth share policy to Allow.
PO — Android 6 and higher
Set a Message for Profile Wipe Allows IT admins to set a custom message to warn the user when the data on the Work profile is being wiped.
Set a Maximum Period for Profile Turned off

Allows IT admins to specify a time period for which the device users are allowed to turn off Work profiles on their WP-C devices. The following two options are available:

  • Days (between 3 to 30 days)
  • Hours (between 72 and 720 hours)

Users of WP-C devices are allowed to turn off the Work profile on their devices. If the device user does not restart the Work profile, all Personal apps—outside of emergency calls and a few other important apps—are suspended. The device users see a notification on their device alerting them as to the reason for suspension of personal apps.

Factory Reset Protection

Configures the security policy to prevent unauthorized use of a device after a factory reset.

You can set up a factory reset protection policy for Android Enterprise devices. This policy allows you to prevent the unauthorized use of an organization's devices using a special validation method for unlocking them after a factory reset.

NOTE — Currently, this policy is only supported in Fully Managed and Work profile on company-owned Devices. This policy is not supported for Work Profile on personally-owned devices.
Policy Description Supported system
Factory Reset Protection

Enables factory reset protection. When this security measure is enabled, if the device undergoes a factory reset it can't be reactivated without the previous user's Google Account.

Values

  • Allow — Enables factory reset protection for all devices that use this profile.
  • Disallow (default) — Disables factory reset protection.

To enable factory reset protection:

  1. Set the value to Allow.
  2. For the the Google Account ID field, enter the email address of Google Account that will protect the devices that use this profile. This account must be appropriate for use by support providers.

    CAUTION — As this account email and password might be shared with support providers, do not use your Google Account associated with Android Enterprise.
  3. Click Go to Google API Webpage to generate user ID. The people.get operation page from Google's People API reference opens.
  4. If you haven't already, sign in to the Google Account you specified earlier.
  5. In the Try this method dialog, enter:

    • resourceName field — people/me
    • personalFields field — metadata
  6. Click EXECUTE.

    • You might be prompted to grant permission for the Google APIs Explorer to access the Google Account. If so, click Allow to grant all access.

    A 200 OK message shows, which contains the account's detailed information as JSON values.

  7. Copy the value of the "ID" field in the message.
  8. Back on the KM console, paste the copied ID value in the Google User ID field.
  9. Click add.

Knox Browser

Configures the Knox Browser app. If you enable Knox Browser on a device, the Knox Browser app is automatically installed right after the Knox Manage agent is enrolled.

Knox Browser is a web browser that you can configure to be highly secure. It is available to users who have a Knox Suite license. If you enable Knox Browser on a device, the Knox Browser app is silently installed right after the Knox Manage agent is enrolled, as shown in this image.

NOTE — This is a Premium feature. To be able to use it, the device must be enrolled under a Knox Suite license.
Policy Description Supported system
Knox Browser App

Enables the Knox Browser app.

Values

  • Use — Enables the Know Browser app on the device.

If this value is unset, then the Knox Browser app can't be installed on the device.

Knox Platform for Enterprise Premium
Homepage URL

Sets the home page of the Knox Browser app. If set, the user can't change the home page. This is a required value for deploying the Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

Enter a URL.

Knox Platform for Enterprise Premium
App Auto Update

Determines whether the Knox Browser app automatically updates. If enabled, the browser also updates when the profile is pushed to the device. Only available if the Knox Browser App policy is set to Use.

Values

  • Use — Enables automatic Knox Browser updates.
  • Do Not Use — Disables automatic Knox Browser updates.
Knox Platform for Enterprise Premium
Hide URL

Hides the address bar. Only available if the Knox Browser App policy is set to Use.

Values

  • Use — Hides the address bar. Prevents access to websites other than the default Homepage URL, and blocks file downloads.
  • Do Not Use (default) — Displays the URL address bar.
Knox Platform for Enterprise Premium
URL Control Type

Configure whether to restrict access to URLs. The restriction list is defined by the URL Control List policy. Only available if the Knox Browser App policy is set to Use.

  • Allowlist — Knox Browser uses an allowlist to restrict access to specified sites.
  • Blocklist — Knox Browser uses a blocklist to restrict access to specified sites.

If this value is unset, then URLs aren't restricted.

Knox Platform for Enterprise Premium
URL Control List

Enter the URLs to allow or block, as determined by the URL Control Type policy. Only available if the Knox Browser App policy is set to Use and the URL Control Type is set to Allowlist or Blocklist.

Values

To add a URL, enter it and click add. To remove one, click delete.

The wildcard (*) token is supported in the sub-domain and path. For example:

  • https://*.example.com
  • https://corp.example.com/*
Knox Platform for Enterprise Premium

Enables URLs with web intents, which, when opened, can download and launch apps on Android. Only available if the Knox Browser App policy is set to Use. Knox Browser supports intent schemes like the following:

  • intent://... — Launches the app package specified in the URL scheme.
  • market://... — Downloads the specified app package from Google Play Store.

Values

  • Allow (default)
  • Disallow
Knox Platform for Enterprise Premium
Cookies

Allows web pages viewed on Knox Browser to store cookies on the device. Only available if the Knox Browser App policy is set to Use.

Values

  • Allow (default)
  • Disallow
Knox Platform for Enterprise Premium
File Download

Enables file downloads on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

  • Allow (default)
  • Disallow — Blocks downloads. If you set the Hide URL policy to Use, file downloads are blocked automatically.
Knox Platform for Enterprise Premium
File Upload

Allows the device user to upload files to web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

  • Allow (default)
  • Disallow
Knox Platform for Enterprise Premium
Text Copy

Allows the device user to copy text from web pages viewed on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

  • Allow (default)
  • Disallow
Knox Platform for Enterprise Premium
Screen Capture

Allows the device user to take screenshots of web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

  • Allow (default)
  • Disallow
Knox Platform for Enterprise Premium
Bookmark

Defines a collection of bookmarks to push to Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

To add a bookmark, enter a name for it and its URL, then click add. To remove a bookmark, click delete.

Knox Platform for Enterprise Premium
Text Scaling

Forces changing the text size on web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

  • Use — Adjusts the text size to the scale set by the Text Scaling > Ratio policy.
  • Do not use — The text size defaults to 100%, and the user can't change it.

If this value is unset, then the text size defaults to 100%, and the device user can change it.

Knox Platform for Enterprise Premium
> Ratio

Specifies the scale of the text size on Knox Browser. Only available if the Knox Browser App and Text Scaling policies are set to Use.

Values

To set the scale, adjust the slider. The slider has a range of 50–200% and moves in 5% increments.

Knox Platform for Enterprise Premium
Force Enable Zoom

Forces changing the zoom level of web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

  • Use — Adjusts the zoom level to the scale set by the Force Enable Zoom > Ratio policy.
  • Do not use — The zoom level defaults to 100%, and the user can't change it.
Knox Platform for Enterprise Premium
> Ratio

Specifies the zoom level of web pages on Knox Browser. Only available if the Knox Browser App and Text Scaling policies are set to Use.

Values

To set the scale, adjust the slider. The slider has a range of 100–200% and moves in 10% increments.

Knox Platform for Enterprise Premium

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

You can add more Wi-Fi policy sets by clicking add.

Wi-Fi configuration is not applied to the Work Profile area of devices.

  • For devices enrolled as Fully Managed with Work Profile, the Wi-Fi configuration is applied only to the Fully Managed area of the device.
  • For device enrolled as Work Profile, the Wi-Fi configuration is not applied.
Policy Description Supported system
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Network Name (SSID)

Enter an identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Remove available Allows users to delete the Wi-Fi settings.
Automatic Connection

Controls whether the device automatically connects to this network.

Values

  • Use — Forces the device to set this network as default and connect to it when Wi-Fi is turned on.
  • Do Not Use — This network configuration is pushed to the device, but the device user chooses which networks to connect to.
Hidden Network Allows to hide the network from the list of available networks on the device. The SSID does not broadcast.
Security type Specifies the access protocol used and whether certificates are required.
> WEP Set a WEP KEY index from WEP KEY 1 to 4.
> WPA/WPA2-PSK Enter a password. You can enter up to 100 characters for the password.
> 802.1xEAP

Configure the following items:

  • EAP Method — Select an authentication protocol from between PEAP and TTLS.
  • 2-step authentication — Select one from PAP, MSCHAP, and MSCHAPV2 as a secondary authentication method.
  • User information input method — Select an input method for entering user information.
  1. Manual Input — Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
  2. Connector interworking — Choose a connector from the User information Connector.
  3. User Information — Use the user information registered in Knox Manage to access Wi-Fi.
  • External ID — Assign an external ID for Manual Input.
  • User certificate input method — Select a user certificate confirmation method.
  1. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  2. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services.

    When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  3. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see External certificates.
CA certificate Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root are included on the list.
Proxy configuration Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.
> Manual

Configure the proxy server manually.

  • Proxy host name — Enter the host name of the IP address of the proxy server
  • Proxy port — Enter the port number used by the proxy server
  • Proxy exception — Enter the IP address or domain address that cannot be accessed through the proxy server. If server authentication is required to use the proxy server, check the Server authentication check box.
  • User name — Enter the username for the proxy server.
  • Password — Enter the password for the proxy server.
> PAC automatic configuration

Configure the proxy server automatically.

You should enter the PAC web address, the URL of the PAC file that automatically determines which proxy server to use.

VPN

Configures a VPN (Virtual Private Network) on Android Enterprise devices.

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking . Only the Pulse Secure VPN type can be configured for Android Enterprise devices.

Policy Description Supported system
Configuration ID Assign a unique ID for the VPN setting.
Description Enter a description for the VPN setting.
VPN type The VPN type is set to Pulse Secure by default and you cannot change it.
Always On VPN Creates a VPN connection when the device starts and maintains it while the device is turned on.
Server URL Enter the URL of the VPN server.
Authentication Type Select an authentication type for the VPN connection between Password, Certificate, and both.
User name

Enter the user ID for the VPN connection.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Password Enter the password for the VPN connection.
Identity Certificate Select a certificate to identify itself to its peer.
Route Type Set to use the VPN settings for the entire device or for selected applications.
> Apps to use VPN Configuration Select applications to allow or disallow from using the VPN. To add an application, click Allowlist Apps or Blocklist Apps, click Add, and then select applications in the "Select Application" window.

Bookmark

Configures the bookmark settings, such as the configuration ID and installation area.

For Android Enterprise devices, a shortcut to the bookmarked address of a specific URL is created on the home screen of the device, not in the web browser.

NOTE
  • Only the device user can delete the shortcuts manually.
  • Deleting a bookmark policy from the Knox Manage agent can render different effects based on the OS version. In both cases, manual deletion by the device user is recommended:

    • Android Pie (9.0) — Shortcuts still appear grayed out on the home screen.
    • Android Oreo (8.0) — Shortcuts are not removed.
Policy Description Supported system
Configuration ID Assign a unique ID for each bookmark setting.
Description Enter a description for each bookmark setting.
Installation area

Specifies a location to install the bookmark.

  • Shortcut — Creates a shortcut of the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher.
    1. Android Enterprise devices only support the shortcut type.
    2. Shortcut icons may not be able to be created depending on the type of launcher set by the user.
    3. An administrator cannot delete the shortcut icon, but the user can delete it manually.
Shortcut image Select a shortcut icon to be created on a user device.
Bookmark page URL Enter a website address to go to when a bookmark is selected.
Bookmark name Enter the bookmark name to be displayed as a title in the bookmark.

APN

Configures the device's Access Point Name (APN) settings for cellular data connectivity.

IMPORTANT — If you're configuring an APN for a Samsung device running Android 11 and lower, don't configure an APN for both the Android Enterprise profile and Samsung Knox profile types. Configure it for only one.
Policy Description Supported system
Configuration ID

Specifies the name of the APN configuration. Each configuration name must be unique.

Values

Enter a name.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Description

Specifies the description of the APN configuration.

Values

Enter a description.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Remove available

Toggles whether the device user can delete the APN.

Values

  • Allow (default)
  • Disallow

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Access Point Name (APN)

Specifies the name of the APN, which is comprised of the network identifier and optional operator identifier.

Values

Enter a name.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Access Point Type

Specifies which connection services to allow for this APN.

Values

  • Default — Allows all services. Also known as unspecified.
  • MMS — Allows only the Multimedia Messaging Service (MMS).
  • Supl — Allows only the Secure User Plane Location (SUPL) service, which is an IP-based protocol that uses GPS for device geolocation.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Mobile Country Code (MCC)

Specifies the MCC of the APN.

Values

Enter a 3-digit MCC.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Mobile Network Code (MNC)

Specifies the carrier's MNC for the APN.

Values

Enter a 2- or 3-digit MNC.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

MMS Server (MMSC)

Specifies the address of the carrier's MMS server.

Values

Enter a URL.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

MMS Proxy Server

Specifies the address of the carrier's MMS proxy server.

Values

Enter an IP or domain.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

MMS Proxy Server Port

Specifies the port of the carrier's MMS proxy server.

Values

Enter a port.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Proxy Server

Specifies the address of the carrier's WAN proxy server.

Values

Enter a URL.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Proxy Server Port

Specifies the port of the carrier's WAN proxy server.

Values

Enter a port.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Access Point Username

Specifies the account username to use when connecting to the APN.

Values

Enter a username. By default, the field contains the ${UserName} lookup item, which substitutes for the username associated with the device in KM.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Access Point Password

Specifies the account password to use when connecting to the APN.

Values

Enter a password.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Authentication Method

Specifies the protocol to use when authenticating with the APN.

Values

  • None — Disables authentication.
  • PAP — Uses the Password Authentication Protocol (PAP), which requires a username and password.
  • CHAP — Uses the Challenge-Handshake Authentication Protocol (CHAP), which implements challenge messages to validate identities.
  • PAP or CHAP — Uses either the PAP or CHAP method, depending on which is available.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. You can add more certificate policy sets by clicking add.

Policy Description Supported system
Configuration ID Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
Install Area Specify where the certificate should be installed.
User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
NOTE — Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
  • When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.

    Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

Certificate Category

Select a certification category when EMM Management Certificate is selected in User certificate input method,

  • CA certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root show on the list.
  • User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User show on the list.
Apps with Delegated Certificate Management Add specific applications, which are installed on the device, to grant silent privileged access using a certificate while running.