Menu

Android Enterprise Policies

This section describes the policies you can configure for Android Enterprise devices.

Knox Manage supports three types of Android Enterprise: Fully Managed, Work Profile, Fully Managed with Work Profile:

Type Description
Fully Managed Controls the whole device.
Work Profile Controls only designated work areas.
Fully Managed with Work Profile Controls both the personal and work areas and applies different policies to each of them.
NOTE
  • The Fully Managed with Work Profile type is only supported by the devices of Android 8.0 (Oreo) or higher version.
  • Some policies support only Samsung Galaxy devices.

The availability of each policy varies depending on the enrollment type and the OS version.

System

Provides backup and restore settings and other features. Updates the operating system on a device.

Interface

Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.

Security

Configures the security settings, such as the password and lock screen.

Kiosk

Configures Kiosk applications on a Kiosk device and controls the device settings.

Application

Configures options for application controls such as installation, verification, and permission.

Location

Allows the use of GPS or collecting location data from a device.

Phone

Configures the phone settings, such as airplane mode, the microphone settings, and the cellular network settings.

Container

Allows data transfers within the Work Profile or with other devices.

Factory Reset Protection

Configures the security policy to prevent the unauthorized use of a device after a factory reset.

Secure Browser

Configures the Secure Browser app. If you enable Secure Browser on a device, the KM Secure Browser app is automatically installed right after the Knox Manage agent is enrolled.

NOTE— This is a Premium feature. To be able to use it, the device must be enrolled under a Knox Suite license.

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

VPN

Configures a VPN (Virtual Private Network) on Android Enterprise devices.

Bookmark

Configures the bookmark settings, such as the configuration ID and installation area.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

System

Policy

Description

Supported devices

User Certificate Settings

Allows the setting of user certificates.

DO/PO: Android 4.3 or higher

Camera

Allows using the camera.

NOTE— If the device is activated as a Work Profile, the camera function only in the Work Profile will be controlled.

DO: Android 4.0 or higher, Samsung Knox 1.0 or higher

PO: Android 5.0 or higher

Screen capture

Allows use of the screen capture function, which is already set as default.

DO: Samsung Knox 1.0 or higher

PO: Android 5.0 or higher

System update

Allows setting if and how over-the-air (OTA) updates are applied to devices. Choose one of the following setting option:

  • Automatic: Automatically apply updates as soon as they become available.

  • Postpone: Postpone OTA updates for up to 30 days.

  • Windowed: Schedule OTA updates to occur at a specific time within a daily maintenance window. Use 24 hour format for time—[00:00-23:59]

DO : Android 6 or higher

Account Modification

Allows modification (add/delete) of the accounts added for each application.

  • Disallow: Disallows to add or delete users even if the Add/Delete User policies are allowed.

DO/PO: Android 4.3 or higher

> Account Blacklist

Add a specific account type blocklist that should not be added on the device (Setting> Accounts and backup > Accounts).

Specify the correct account name to block. For instance, enter com.google.android.gm.pop3 for a Gmail (pop3) account.

NOTE— Here are the account names of the applications that are mainly used:

Application

Package name

Account name

Google Play Service

com.google.android.gms

com.google

Google Play Service

com.google.android.gms

com.google.android.gms.matchstick

Gmail

com.google.android.gm

com.google.android.gm.pop3

Gmail

com.google.android.gm

com.google.android.gm.exchange

Gmail

com.google.android.gm

com.google.android.gm.legacyimap

Samsung Experience Service

com.samsung.android.mobileservice

com.osp.app.signin

Samsung Experience Service

com.samsung.android.mobileservice

com.samsung.android.coreapps

Samsung Experience Service

com.samsung.android.mobileservice

com.samsung.android.mobileservice

Duo

com.google.android.apps.tachyon

com.google.android.apps.tachyon

NAVER

com.nhn.android.search

com.nhn.android.naveraccount

Facebook

com.facebook.katana

com.facebook.auth.login

Outlook

com.microsoft.office.outlook

com.microsoft.office.outlook.USER_ACCOUNT

OneDrive

com.microsoft.skydrive

com.microsoft.skydrive

DO/PO: Android 5.0

VPN Setting

Allows the user to configure the VPN settings on the device.

DO: Android 5.0 or higher

PO: Android 7.0 or higher

Add User

Allows adding the new users on the device.

DO: Android 5.0 or higher

Delete User

Allows deleting the added users.

DO: Android 4.3 or higher

Safe mode

Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications.

DO: Android 6.0 or higher, Samsung Knox 1.0 or higher

Change wallpaper

Allows changing the home and lock screens.

DO: Android 7.0 or higher, Samsung Knox 1.0 or higher

External SD card

Allows using the external SD card.

DO: Android 4.0 or higher, Samsung Knox 1.0 or higher

> Write to external SD card

Allows writing to an external SD card.

NOTE— If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.

DO: Samsung Knox 1.0 or higher

Factory reset

Allows a device factory rest.

DO: Android 5.0 or higher, Samsung Knox 1.0 or higher

S Beam

Allows using Android Beam which transfers data via NFC.

NOTE— Android 10 (Q) or higher devices are not supported.

DO: Android 5.0 or higher, Samsung Knox 1.0 or higher

Create Window

Allows a window to be created and launched at the top when users use a multi-window transformed into a pop-up window or a split screen mode on the device.

DO: Android 5.0 or higher

Easter Egg

Allows executing the Easter Egg games on devices with specific actions.

DO: Android 6.0 or higher

Brightness Setting

Allows changing of the screen brightness level.

DO: Android 9.0 or higher

AOD

Allows the always on display feature that displays brief information on the lock screen, such as notifications or time.

DO: Android 9.0 or higher

System Error Screen

Allows an error dialog display function when an application shutdowns abnormally.

DO: Android 9.0 or higher

If compromised OS is detected

Select a measure to take when a compromised OS is detected.

  • Lock device: Locks the device.
  • Lock Email: Locks email use.
  • Factory reset + Initialize SD card: Simultaneously factory resets the user device and the SD card.
  • Factory reset: Resets the user device but not the SD card.
NOTE— The factory reset (only) function is unsupported in Android 2.0 or lower. To reset the device, select the Factory reset + Initialized SD card option.

DO: Android 1.0 or higher

Set Notifications from an event to On.

Set the device to display a notification when a device control event is applied.

User defined: Users can set event notifications on the device from the Settings menu of the Knox Manage agent.

Show notification: Displays the notification when an event for device control is applied.

Hide notifications: Hides the notification when an event for device control is applied.

DO: Android 1.0 or higher, Samsung Knox 1.0 or higher

Set Notifications from an event to Off.

Set the device to display a notification when an event for device control is disengaged.

  • User Defined: Users can set event notifications on the device from the Settings menu of the Knox Manage agent.
  • Show notification: Displays a notification when an event for device control is disengaged.
  • Hide notifications: Hides a notification when an event for device control is disengaged.

DO: Android 1.0 or higher, Samsung Knox 1.0 or higher

Fix Event Notification

Set the removal of notifications from the device Quick panel.

User Defined: Users can remove notification on the device from the settings menu of Knox Manage agent.

Disallow to Remove Notification: Users cannot remove notifications on the device Quick Panel.

Allow to Remove Notification: Users can remove notifications on the device Quick Panel.

DO: Android 1.0 or higher, Samsung Knox 1.0 or higher

Encryption for storage

Specifies the encryption of the device’s internal storage or the external SD card.

DO: Android 4.1 or higher, Samsung Knox 1.0 or higher

> Storage encryption

Check the checkbox to select the storage to be encrypted.

NOTE— External SD card encryption is applicable to Samsung Galaxy devices only.

 

NTP Settings

Allows using the NTP (Network Time Protocol) server. Register this server to sync the server time to a device.

 

> Server address

Enter the NTP server address.

DO: Samsung Knox 2.5 or higher

> Maximum number of attempts

Set the maximum number of attempts for connecting to the NTP server to retrieve the time information.

The value can be between 0 – 100 attempts.

DO: Samsung Knox 2.5 or higher

> Polling cycles (hr)

Set the cycle to reconnect to the server via NTP.

The value can be between 0 – 8760 hours (8760 hours = 1 year).

DO: Samsung Knox 2.5 or higher

> Short polling cycle (sec)

Set the cycle to re-connect to the NTP server after experiencing a timeout.

The value can be between 0 – 1000 seconds.

DO: Samsung Knox 2.5 or higher

> Timeout (sec)

Set the connection timeout on the NTP server.

The value can be between 0 – 1000 seconds.

DO: Samsung Knox 2.5 or higher

Automatic Date and Time

Allows changing the date and time settings.

DO: Android 5.0 or higher

Select Time Zone

Allows selecting a time zone to apply for the device.

NOTE— If you enabled this policy, the Automatic Date and Time policy will be allowed.

DO: Android 5.0 or higher, Samsung Knox 1.0 or higher

> Time Zone

Select a time zone from the list.

 

Language Setting

Allows the language setting policy.

DO: Android 9.0

Location Setting

Allows users to change the Location settings.

  • Disallow: Users cannot change the on/off setting of the device location.

DO: Android 9.0

Backup

Allows backup of the device data.

NOTE— If the backup function can be found on your device at Google > Backup, it may seem possible to turn the backup setting on or off, even if this policy is set to Disallow. However, the functionality of backup is prohibited, regardless of mobile UI, when the Backup policy is set to Disallow.

DO: Android 8.0 or higher

Interface

Policy

Description

Supported devices

Printing

Allows the printing function.

DO/PO: Android 9.0 or higher

Autofill Service

Allows auto-completion of information that you enter on websites in the Android browser.

DO/PO: Android 8.0 or higher

Network Reset

Allows the network usage rest function on a set date.

NOTE— For Android 7.0 or lower devices, this applies to Samsung devices (Knox1.0+) only.

DO: Android 6.0 or higher

Mobile Network Setting

Allows configuring the mobile network settings.

DO: Android 5.0 or higher

Allow Wi-Fi Change

Allows changing the Wi-Fi Settings.

DO: Android 4.3 or higher

Wi-Fi

Allow using Wi-Fi. If the Wi-Fi policy has not been applied successfully, the device will try to apply it again 30 minutes later after Knox Manage is activated.

  • Allow: Allows using Wi-Fi
  • Disable On: Disallows turning Wi-Fi on. It is turned off at all times.
  • Disable Off: Disallows turning Wi-Fi off. It is turned on at all times.

DO: Android 1.0 or higher, Samsung Knox 1.0 or higher

> Wi-Fi Direct

Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.

NOTE—
  • Set the Wi-Fi policy to Allow or Disable Off before using this policy.
  • The direct connection of the two devices may cause the device function or the menu to be controlled, depending on the device type.

DO: Samsung Knox 1.0 or higher

Tethering Setting

Allows tethering Settings.

DO: Android 5.0 or higher

Bluetooth

Allows using Bluetooth.

  • Allow: Allows turning Bluetooth on.
  • Disable On: Disallows turning Bluetooth on.

DO: Android 8.0 or higher, Samsung Knox 1.0 or higher

> Desktop PC connection

Allows PC connection with the user’s device via Bluetooth.

DO: Samsung Knox 1.0 or higher

> Data transfer

Allows data exchanges with other devices via Bluetooth connection.

DO: Samsung Knox 1.0 or higher

> Search mode

Allows device search mode.

DO: Samsung Knox 1.0 or higher

Bluetooth Setting

Specifies the controls for the Bluetooth use.

DO: Android 4.3 or higher

Bluetooth Share

Allows Bluetooth sharing.

DO: Android 8.0 or higher

PC connection

Allows connecting user’s device to PC.

DO: Android 4.3 or higher, Samsung Knox 1.0 or higher

Security

Policy

Description

Supported devices

Device Password

Set the password for the device screen lock. Use of the camera is prohibited when the device is screen locked.

The password can be applied to the following areas.

  • Fully Managed: The whole device area for Fully Managed (DO) devices, or personal area for Fully Managed with Work Profile devices.
  • Work Profile: The personal area of Work Profile (PO) devices. If you want to configure the password policy for a Work Profile container, navigate to Security > Work profile password.
NOTE—
  • For the Fully Managed (DO) type and the Fully Managed with Work Profile type, if the strength of the screen lock password of the device is lower than the device policy, the device will be locked through the Lock Task mode. The users of the devices will not be able to use any other functions until the password is configured.
  • If the device is using a One Lock password and the policy for the personal area and work area have been configured differently, the stronger password policy will be applied.

 

> Minimum strength

Set the minimum password strength on the screen.

  • Weak Biometric: Set the password using a low-security biometric recognition method.
  • Pattern: Set the password using a pattern or a password with a higher degree of complexity.
  • Numeric: Set the password using numbers or a password with a higher degree of complexity.
  • Numeric Complex: Set the password containing at least numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
  • Alphabetic: Set the password containing at least alphabetic (or other symbol) characters.
  • Alphanumeric: Set the password using alphanumeric characters or a password with a higher degree of complexity.
  • Complex: Set it so that the passwords must include alphanumeric and special characters.
NOTE— The password strength increases in the following ascending order: Weak Biometric < Pattern < Numeric < Numeric Complex < Alphabetic < Alphanumeric < Complex.

DO: Android 2.2 or higher, Samsung Knox 2.0 or higher

PO: Android 7.0 or higher

>> Minimum length

Set the minimum length of the password.

The value can be between 4 - 16 characters for Numeric or Alphanumeric.

The value can be between 6 - 16 characters for Complex.

NOTE— Minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.

DO: Android 2.2 or higher, Samsung Knox 2.0 or higher

PO: Android 7.0 or higher

>> Minimum number of letters

Set the minimum password length.

The value can be between 1 - 10 characters.

DO: Android 3.0 or higher

PO: Android 7.0 or higher

>> Minimum number of non-letters

Set the minimum number of numeric and special characters required in the password.

The value can be between 1 - 10 characters.

DO: Android 3.0 or higher

PO: Android 7.0 or higher

>> Minimum number of lowercase letters

Set the minimum number of lowercase letters required in the password.

The value can be between 1 - 10 characters.

DO: Android 3.0 or higher

PO: Android 7.0 or higher

>> Minimum number of capital letters

Set the minimum number of uppercase letters required in the password.

The value can be between 1 - 10 characters.

DO: Android 3.0 or higher

PO: Android 7.0 or higher

>> Minimum number of numeric characters

Set the minimum number of numeric characters allowed in the password.

The value can be between 1 - 10 characters.

DO: Android 3.0 or higher

PO: Android 7.0 or higher

>> Minimum number of special characters

Set the minimum number of special characters required in the password.

The value can be between 1 -10 characters.

DO: Android 3.0 or higher

PO: Android 7.0 or higher

>> Manage password history (times)

Set the minimum number of new passwords that must be used before a user can reuse the previous password.

The value can be between 0 - 10 times.

NOTE— If the password is ‘Knox123!’ and the minimum value is set as 10, the user must use ten other passwords before reusing ‘Knox123!’ as password.

DO: Android 3.0 or higher, Samsung Knox 1.0 or higher

PO: Android 7.0 or higher

>> Expiration after (days)

Set the maximum number of days before passwords must be reset.

The value can be between 0 - 365 days.

DO: Android 3.0 or higher, Samsung Knox 1.0 or higher

PO: Android 7.0 or higher

>> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before access is restricted.

You can set this only when Numeric, Alphanumeric, or Complex is selected.

The value can be between 0 - 10 times.

DO: Android 2.2 or higher, Samsung Knox 2.0 or higher

>>> If maximum failed login attempts exceeded

Select the action to be performed when the maximum number of failed attempts is reached.

For the Fully Managed (DO) type:

  • Lock device: Locks the device.
  • Factory reset + Initialize SD card: Simultaneously resets the user device and the SD card.
  • Factory reset: Resets the user device but not the SD card.

For the Work Profile (PO) type:

  • Work Profile removal: Deletes the Work Profile container.

DO: Android 2.2 or higher, Samsung Knox 2.0 or higher

PO: Android 7.0 or higher

>> Screen lock timeout (min)

Set the duration for locking the device when the user has not set up a password for the screen lock.

The value can be between 0 - 60 minutes.

DO: Samsung Knox 1.0 or higher

>> Maximum length of sequential numbers

Set the maximum number of consecutive numeric characters allowed in a password.

The value can be between 1 - 10 words.

DO: Samsung Knox 1.0 or higher

>> Maximum length of sequential characters

Set the number of consecutive letters allowed in a password.

The value can be between 1 - 10 words.

DO: Samsung Knox 1.0 or higher

Block function setting on lock screen

Allows blocking functions on the lock screen.

NOTE— The visibility of the notifications on the lock screen depends on the options you set in the application.

 

> Block functions on lock screen

Select the functions to be blocked on the lock screen when a password policy is set on a device.

For the Fully Managed (DO) type:

  • Camera: Blocks direct camera control on lock screen.
  • Trust Agent: Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, or when devices are added.
  • Fingerprint: Blocks the fingerprint unlock function.
  • Iris: Blocks the iris unlock function.
  • Face: Blocks the face unlock function.
  • Previews in pop-ups: Displays notifications on the lock screen but hides private content set in the application.
  • Notifications: All notifications are hidden via the lock screen

For the Work Profile (PO) type:

  • Trust Agent: Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, and or when certain devices are added.
  • Fingerprint: Blocks the fingerprint screen unlock function.
  • Iris: Blocks the iris unlock function.
  • Face: Blocks the face unlock function.

DO: Android 5.0 or higher

PO: Android 7.0 or higher

Enforce Multi factor Authentication

Enable multifactor authentication (2FA) that unlocks a device only after two authentication methods are provided, including one biometric input (face/iris/fingerprint) and one lock screen method (PIN/password/pattern).

NOTE— Incorrect use of this policy together with “One Lock” and “Biometric policy” can lock your device.

DO: Samsung Knox 3.0 or higher

Lock screen Set to allow or disallow the user to change Lock Screen setting. Samsung Knox 5.0 or higher

Screen timeout

Allows the user to change the Screen Timeout setting.

DO: Android 9.0 or higher

Maximum screen timeout

Set the maximum time limit that a user can linger before screen timeout.

DO: Android 2.2 or higher, Samsung Knox 2.0 or higher

Work profile password

Set to use the Work Profile container screen lock password on the Work Profile installation, the users are directed to set the Work Profile screen lock password.

NOTE—
  • If users forget their password and ask you, you should send the device command to reset the password and guide them to input the temporary password that was sent. For more information about the procedure, see Viewing the device details.
  • If the device is using a One Lock password, and the policy for the personal area and work area have been configured differently, the stronger password policy will be applied.
  • If you want to configure the policy for the personal area of a Work Profile (PO) device, navigate to Security > Device password.

 

> Minimum strength

Set the minimum password strength on the screen.

  • Weak Biometric: Set the password using a low-security biometric recognition method.
  • Pattern: Set a password with a pattern or with a higher degree of complexity.
  • Numeric: Set a password with numbers or with a higher degree of complexity.
  • Numeric Complex: Set the password containing at least numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
  • Alphabetic: Set the password containing at least alphabetic (or other symbol) characters.
  • Alphanumeric: Set a password with alphanumeric characters or with a higher degree of complexity.
  • Complex: All passwords must include alphanumeric and special characters.
NOTE— The password strength increases in the following ascending order: Weak Biometric < Pattern < Numeric < Numeric Complex < Alphabetic < Alphanumeric < Complex.

PO: Android 2.2 or higher

>> Minimum length

Set the minimum length of the password.

The value can be between 4 - 16 characters. for Numeric or Alphanumeric.

The value can be between 6 - 16 characters for Complex.

 

PO: Android 2.2 or higher

>> Minimum number of letters

Set the minimum password length.

The value can be between 1 - 10 characters.

PO: Android 3.0 or higher

>> Minimum number of non-letters

Set the minimum number of numeric and special characters allowed in the password.

The value can be between 1 - 10 characters.

PO: Android 3.0 or higher

>> Minimum number of lowercase letters

Set the minimum number of lowercase letters allowed in the password.

The value can be between 1 - 10 characters.

PO: Android 3.0 or higher

>>Minimum number of capital letters

Set the minimum number of uppercase letters allowed in the password.

The value can be between 1 - 10 characters.

PO: Android 3.0 or higher

>> Minimum number of numeric character

Set the minimum number of numeric characters allowed in the password.

The value can be between 1 - 10 characters.

PO: Android 3.0 or higher

>> Minimum number of special characters

Set the minimum number of special characters allowed in the password.

The value can be between 1 - 10 characters.

PO: Android 3.0 or higher

>> Manage password history (times)

Set the minimum number of new passwords that must be used before a user can reuse the previous password.

The value can be between 0 - 10 times.

NOTE— If the password is ‘Knox123!’ and the minimum value is set as 10, the user must use ten other passwords before reusing ‘Knox123!’ as password.

PO: Android 3.0 or higher

>> Expiration after (days)

Set the maximum number of days before the password must be reset.

The value can be between 0 - 365 days.

PO: Android 3.0 or higher

>> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before access is restricted.

The value can be between 0 - 10 times.

PO: Android 2.2 or higher

Block function setting on lock screen

Allows blocking functions on the lock screen.

NOTE— The visibility of the notifications on the lock screen depends on the options you set in the application.

PO: Android 4.2 or higher

> Block functions on lock screen

Select the function to be blocked on the lock screen when a password policy is set on a device.

  • Trust Agent: Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, and or when certain devices are added.
  • Fingerprint: Blocks the fingerprint screen unlock function.
  • Previews in pop-ups: Displays notifications on the lock screen but hides private content set in the application.
  • Iris: Blocks the iris unlock function.
  • Face: Blocks the face unlock function.

 

SafetyNet Attestation

Allows the use of SafetyNet attestation to validate the integrity of the device.

DO/PO: Android 6.0 or higher

> Verification Interval (days)

Set an interval at which the SafetyNet Attestation API assesses the devices.

 

> Verification Failure Policy (During Enrollment)

Select a measure.

  • Admin Alert: Sends an alert to the administrator.
  • Unenrollment (Factory Reset) (for DO only): Unenrolls the device and performs a factory reset.
  • Unenrollment (for PO only): Unenrolls the device.

 

> Verification Failure Policy (After Enrollment)

Select a measure.

  • Admin Alert: Sends an alert to the administrator.
  • Lock device (for DO only): Locks the device.
  • Unenrollment (Factory Reset) (for DO only): Unenrolls the device and performs a factory reset.
  • Unenrollment (for PO only): Unenrolls the device.

 

Kiosk

Policy

Description

Supported devices

Setting Plugged in Screen On

Enable this feature to set the device screen on when charging using any of the following options:

> Screen on when Plugged into Charger

Select the option to apply the policy:

  • AC Charger
  • USB Charger
  • Wireless Charger
Multiple selection is possible.

Kiosk app settings

Select a Kiosk feature to use on a device.

Single app: Runs a single application on the device’s home screen.

Multi app: Runs multiple applications that are developed using the Kiosk Wizard.

Kiosk Browser: Opens webpages that are specified by the administrator.

NOTE—
  • Single App Kiosks are not available with non-Samsung Android Enterprise Fully Managed (DO) devices that are running Android 6.0-8.0.
  • Knox Manage provides Single App Kiosk with Google managed applications for Android Enterprise devices with version 9.0 (Pie) or higher.

DO: Samsung Knox 1.0 or higher

Non-Samsung DO: Android 9.0 or higher

> Set application

Click Select, and then choose Public applications (Managed Google Play Store) or Kiosk applications from the Kiosk application list. Alternatively, click Add, and then manually add applications. For more information about adding single applications, see Create a kiosk using the Kiosk Wizard.

 

> Set application

Click Select to select multiple Kiosk applications from the list or click New to create a Multi App Kiosk.

 

> Set Kiosk Browser

When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser will be automatically selected.

 

> Default URL

Set the default page URL to call in the Kiosk Browser.

NOTE— You can enter a URL that is up to 128 bytes including alphanumeric characters and some special characters (_,., -, *, /).

 

App Auto Update Set the Kiosk Browser to be updated automatically.  

> Screen Saver

Use the screen saver for the multi-app kiosk and the Kiosk Browser. When no user activity has been sensed for a certain amount of time set in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files will be activated on the device display.

NOTE— The Screen Saver for the Kiosk Browser only runs while the device is charging.

 

>> Screen Saver Type

Select either an image or video type screensaver.

 

>>> Image

Select image files for the screen saver. You can add up to 10 image files in the PNG, JPG, JPEG, or GIF format (animated files are not supported). Each image file must be less than 5 MB.

  • To upload an image file, click Add and select a file.
  • To delete an image file, click next to the name of the uploaded image file.
NOTE— The device control command must be transferred to the device to apply an image file to it.

 

>>> Video

Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB.

  • To upload a video file, click Add and select a file.
  • To delete a video file, click next to the name of the uploaded video file.
NOTE— The device control command must be transferred to the device to apply a video to it.

 

> Session timeout

Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL:

  • Apply: Enables the session timeout feature for the browser.

 

>> Time (sec)

Set the session timeout in seconds for the Kiosk Browser.

The value can be between 10 - 3600 secs (default is 1800).

 

> Text Copy

Allow the copying of text strings in the Kiosk Browser.

 

> Javascript

Allow the running of the JavaScript contained in websites.

 

> Http Proxy

Allow the use of an HTTP proxy for communications in the Kiosk Browser.

 

>> IP/Domain:Port

Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.

 

> User agent settings key value

Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header.

NOTE—User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.

 

> File Upload

Allows the user to upload files to websites through the Kiosk Browser.

Disallow is the default value.

 

Delete Kiosk app when policy is removed

Allows to delete applications along with policies from a device when the applied policy is deleted.

DO: Samsung Knox 1.0

Non-Samsung DO: Android 9.0

Prohibit hardware key

Allows the use of the hardware keys.

 

> Disallow hardware key(s)

Select hardware keys to disable. The availability of Hardware keys can vary by device

If you do not allow the use of the Task Manager, then it will not run, even if the user taps the left menu key in the Navigation bar at the bottom of the device.

DO: Samsung Knox 1.0 or higher

Utilities setting

Allows the use of specific features on Kiosk mode devices.

DO: Android 9.0

> Power

Allows the use of the Power button to turn off or restart the device.

 

> Recent apps

Allows the use of the Recent task button. The Home button also needs to be allowed to use the Recent task button.

 

> System status bar

Allows the use of the system status bar, which displays the time, network connectivity, and battery status.

NOTE— For Android P or higher devices, you must allow the notification bar as well to enable the system status bar.

 

> Notification bar

Allows the access to the notification bar. If this policy is set to Allow, the Home policy will be allowed automatically.

 

> Home

Allows the use of the Home button on the device.

 

> Key guard

Allows the screen lock policy to be applied to the device. If it is set to Disallow, users can access the Kiosk device without a screen lock password, regardless of the screen lock policy of the device.

 

Application

Policy

Description

Supported devices

Installation of application from untrusted sources

Allows the installation of applications from untrusted sources instead of just the Google Play Store.

DO: Android 4.3 or higher

PO: Android 5.0 or higher

Skip App Tutorial Allows the users to skip application tutorials. DO and PO: Android 1.0 or higher

App Control

Allows application control from the settings application.

The following actions can be configured:

  • Delete / Execute / Prevention / CACHE Removal / Data Removal / Focused Exit / Default App Removal.

DO: Android 5.0 or higher

App Installation

Allows application installation.

DO: Android 4.3 or higher

PO: Android 5.0 or higher

App Uninstallation

Allows application uninstallation.

DO: Android 4.3 or higher

PO: Android 5.0 or higher

App Verification

Allows application verification via Google for all device applications.

DO: Android 5.0 or higher

PO: Android 5.0 - 7.1

App Permission

Allows application runtime permission settings for all areas.

  • Prompt: Prompts users to grant or deny permissions.
  • Grant: Grants all relevant permissions.
  • Deny: Denies all relevant permissions.
NOTE— This policy applies to all applications.

DO/PO: Android 6.0 or higher

> App permission exception policy list

Add individual application. Set different permission policies for each application.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
NOTE—

DO/PO: Android 6.0 or higher

App Execution Blacklist Setting

Set to prevent the execution of the device applications.

 

> App execution blacklist

Add applications to prevent their execution. Icon of the blocked application disappears and users cannot run the application.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
NOTE— An application that has been added on the Application installation whitelist policy cannot be added.

DO/PO: Android 5.0 or higher

Application uninstallation prevention list Setting

Set to prevent the uninstallation of the device application.

 

> Application uninstallation prevention list

Add applications to prevent their uninstallation.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

DO/PO: Android 5.0 or higher

System App Activation Setting

Set to activate hidden system applications for Android Enterprise devices to view. If a device is activated with Android Enterprise, only designated applications appear on the device.

NOTE— Applications cannot be activated if they are listed under the Application installation block list.

 

> System App Activation

Add system applications to be activated.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

DO/PO: Android 5.0 or higher

Settings for whitelisting apps allowing external SD card

Allows the use of an external SD card. The external SD card cannot be used by default.

 

> Whitelisted apps for external SD card

Add applications that can use an external SD card.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

 

Location

Policy

Description

Supported devices

GPS

Configure to force quit the GPS feature of device. Users can freely change this feature setting on the device if the Location Setting policy is set to Allow.

  • Disable On: Disables the GPS feature on the device.

DO: Android 4.3 or higher, Samsung Knox 1.0 or higher

PO: Android 4.3 or higher

Report device location

Allows collecting location data.

  • User consent: Allows location data collection only with the user’s consent.
NOTE— If the Fully Managed with Work Profile type is used, location data from devices is collected based on the Report Device Location value, which is specified in the Fully Managed Device policy.

DO: Android 2.3 or higher, Samsung Knox 1.0 or higher

PO: Android 5.0 or higher

> Report device location interval

Set an interval period to save the location data of the device.

NOTE— To set the collection interval, select either Allow or User consent for the Report device location policy.

DO: Android 2.3 or higher, Samsung Knox 1.0 or higher

PO: Android 5.0 or higher

High Accuracy Mode

Set to use for collecting accurate GPS locations of the devices.

DO: Android 2.3 or higher, Samsung Knox 1.0 or higher

PO: Android 5.0 or higher

Phone

Policy

Description

Supported devices

Airplane mode

Allows the use of airplane mode.

DO: Android 9.0 or higher, Samsung Knox 2.0 or higher

Cell Broadcast Setting

Allows the use of emergency broadcast settings.

The carrier can send a same message, such as an emergency alert, to the devices connected to the same cellular base station.

DO: Android 5.0 or higher

Volume Adjustment

Allows adjusting the volume.

DO: Android 5.0 or higher

Microphone

Allows the use of the microphone.

DO: Android 5.0 or higher, Samsung Knox 1.0 or higher

PO: Samsung Knox 1.0 or higher

> Recording

Allows recording with the microphone.

DO/PO: Samsung Knox 1.0 or higher

> S Voice

Allows the use of S Voice.

DO: Samsung Knox 1.0 or higher

Voice Call (except Samsung Device)

Allows the use of voice calls.

NOTE— To control Samsung devices, use the Prohibit voice Call policy.

DO: Android 5.0 or higher

SMS (except Samsung Device)

Allows the use of text messages.

DO: Android 5.0 or higher

Data connection during roaming

Allows a data connection while using roaming service.

DO: Android 7.0 or higher, Samsung Knox 1.0 or higher

Container

Policy

Description

Supported devices

Copy and Paste Clipboard per Profile

Allows copying and pasting with the clipboard between the personal and work areas.

PO: Android 5.0 or higher

Bluetooth Share

Allows sharing via Bluetooth with other devices.

PO: Android 8.0 or higher

Phone Book Access Profile (PBAP) via Bluetooth

Allows sharing contacts from the Profile Owner to the connected device via Bluetooth.

NOTE— The Bluetooth share policy must be set to Allow before using this policy.

PO: Android 6.0 or higher

Factory Reset Protection

You can set up a factory reset protection policy for Android Enterprise devices. This policy allows you to prevent the unauthorized use of an organization’s devices via a special validation method for unlocking them after a factory reset.

Policy

Description

Factory Reset Protection

Allows enabling Factory Reset Protection.

To enable Factory Reset Protection, complete the following steps:

1. Select Allow from the drop-down list.

  • Further information about the FRP will be displayed.

2. Click Go to Google API Webpage to generate user ID.

3. Sign in with your Google account.

  • You can use an existing Google account or create one specifically for use with factory reset protection. Please be aware that this account will be used to validate device users. Android Enterprise account should not be used.

4. Enter the below input values on the right side of API page.

  • resourceName : people/me
  • personalFields : metadata

5. Click Execute.

6. In a green header box, copy the “id” field value and paste it to the Google User ID field in Knox Manage admin portal.

7. Enter the same account ID to the Google Account ID field you signed in Google API page at step 3, and click to save it.

Secure Browser

Secure Browser is a web browser that you can configure to be highly secure. It is available to users who have a Knox Suite license. If you enable Secure Browser on a device, the KM Secure Browser app is silently installed right after the Knox Manage agent is enrolled, as shown in this image.

Policy

Description

Secure Browser App

Configure whether to enable the Secure Browser app.

  • Use: Enable the app to be used. Select this for more secure browsing.
  • -: Disable the app from being used. Select this if the enterprise has another preferred browser.

Homepage URL

Set the default web page displayed by the browser or tab when first launched, or when the browser home icon is tapped. The user cannot override this default home page through the browser settings.

App Auto Update Set the Secure Browser to be updated automatically.

Hide URL

Configure whether to hide the URL address bar.

  • Use: Hide the URL address bar. This prevents access to websites other than the default Homepage URL, and blocks file downloads automatically.
  • Do Not Use: Display the URL address bar.
  • -: Do not make this a configurable setting.

URL Control Type

Configure whether to allow or block URLs.

  • Whitelist: Allow only the URLs specified in the allowlist. Use this for better browser security.
  • Blacklist: Allow all URLs except those in the blocklist. Use this to offer better browser usability.
  • -: Allow all URLs.

URL Control List

Enter the URLs to allow or block, as specified in URL Control Type.

Use an asterisk as a wildcard to specify URL patterns.

You can use an asterisk in the URL sub-domain (www) and path (after /). Here are valid examples:

  • https://docs.company.com/*
  • https://*.company.com/*

You cannot use an asterisk in the URL schema (http, https) or domain (domain.com). Here are invalid examples:

  • *.company.com/*
  • https://www.*company*.com/*

Link URL to Other Apps

Configure whether to allow URLs that download and launch apps. Secure Browser supports these URL schemes:

  • intent:// - Launches the app package specified in the intent URL.
  • market:// - Downloads the specified app package from Google Play store.

Users can download or run apps directly by tapping these URL schemes on web pages. You can select:

  • Allow: To allow apps to download and launch. Select this for better usability.
  • Disallow: To prevent apps from downloading and launching. Select this if you are concerned about app integrity.
  • -: Allow all app downloads and launches.

Cookies

Configure whether to allow websites to save cookies on the device.

  • Allow: Allow cookies. Select this for better browser usability.
  • Disallow: Do not allow apps to launch. Select this for better security and user privacy.
  • -: Allow all cookies.

File Download

Configure whether to allow users to download files from websites onto the device.

  • Allow: Allow downloads. Select this for better browser usability.
  • Disallow: Do not allow downloads. Select this for better security, to block files like viruses, adware, or spyware. If you select the Hide URL option, file downloads are disallowed automatically.
  • -: Allow all downloads.

File Upload

Configure whether to allow users to upload files from their device to a website.

  • Allow: Allow uploads. Select this for better browser usability.
  • Disallow: Do not allow uploads. Select this for better security, if you are concerned about confidential assets being shared through the web.
  • -: Allow all downloads.

Text Copy

Configure whether to allow users to copy text displayed on a web page.

  • Allow: Allow copies. Select this for better browser usability.
  • Disallow: Do not allow copies. Select this for better security, if you are concerned about confidential web info being shared.
  • -: Allow copies.

Screen Capture

Configure whether to allow users to capture an image of a web page.

  • Allow: Allow captures. Select this for better browser usability.
  • Disallow: Do not allow captures. Select this for better security, if you are concerned about confidential web info being shared.
  • -: Allow captures.

Bookmark

Enter any web pages you want to bookmark by default for easy access in the browser.

Wi-Fi

You can add more Wi-Fi policy sets by clicking .

Wi-Fi configuration is not applied to the Work Profile area of devices.

  • For devices enrolled as Fully Managed with Work Profile, the Wi-Fi configuration is applied only to the Fully Managed area of the device.
  • For device enrolled as Work Profile, the Wi-Fi configuration is not applied.

Policy

Description

Configuration ID

Assign a unique ID for each Wi-Fi setting.

Description

Enter a description for each Wi-Fi setting.

Network Name (SSID)

Enter an identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Remove available

Allows users to delete the Wi-Fi settings.

Hidden Network

Allows to hide the network from the list of available networks on the device. The SSID does not broadcast.

Security type

Specifies the access protocol used and whether certificates are required.

> WEP

Set a WEP KEY index from WEP KEY 1 to 4.

> WPA/WPA2-PSK

Enter a password.

> 802.1xEAP

Configure the following items:

  • EAP Method: Select an authentication protocol from between PEAP and TTLS.
  • 2-step authentication: Select one from PAP and MSCHAP as a secondary authentication method.
  • User information input method: Select an input method for entering user information.
  1. Manual Input: Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  2. Connector interworking: Choose a connector from the User information Connector.
  3. User Information: Use the user information registered in Knox Manage to access Wi-Fi.
  • External ID: Assign an external ID for Manual Input.
  • User certificate input method: Select a user certificate confirmation method.
  1. EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  2. Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services.
    When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  3. Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see External certificates.

CA certificate

Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root will appear on the list.

Proxy configuration

Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.

> Manual

Configure the proxy server manually.

  • Proxy host name: Enter the host name of the IP address of the proxy server
  • Proxy port: Enter the port number used by the proxy server
  • Proxy exception: Enter the IP address or domain address that cannot be accessed through the proxy server. If server authentication is required to use the proxy server, check the Server authentication check box.
  • User name: Enter the username for the proxy server.
  • Password: Enter the password for the proxy server.

> PAC automatic configuration

Configure the proxy server automatically.

You should enter the PAC web address, the URL of the PAC file that automatically determines which proxy server to use.

VPN

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking . Only the Pulse Secure VPN type can be configured for Android Enterprise devices.

Policy

Description

Configuration ID

Assign a unique ID for the VPN setting.

Description

Enter a description for the VPN setting.

VPN type

The VPN type is set to Pulse Secure by default and you cannot change it.

Always On VPN

Creates a VPN connection when the device starts and maintains it while the device is turned on.

Server URL

Enter the URL of the VPN server.

Authentication Type

Select an authentication type for the VPN connection between Password, Certificate, and both.

User name

Enter the user ID for the VPN connection.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Password

Enter the password for the VPN connection.

Identity Certificate

Select a certificate to identify itself to its peer.

Route Type

Set to use the VPN settings for the entire device or for selected applications.

> Apps to use VPN Configuration

Select applications to allow or disallow from using the VPN. To add an application, click Whitelist Apps or Blacklist Apps, click Add, and then select applications in the “Select Application” window.

Bookmark

For Android Enterprise devices, a shortcut to the bookmarked address of a specific URL is created on the home screen of the device, not in the web browser.

NOTE—
  • Only the device user can delete the shortcuts manually.
  • Deleting a bookmark policy from the Knox Manage agent can render different effects based on the OS version. In both cases, manual deletion by the device user is recommended:
    • Android Pie (9.0): Shortcuts will still appear grayed out on the home screen.
    • Android Oreo (8.0): Shortcuts will not be removed.

Policy

Description

Configuration ID

Assign a unique ID for each bookmark setting.

Description

Enter a description for each bookmark setting.

Installation area

Specifies a location to install the bookmark.

  • ShortCut: Creates a shortcut of the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher.
  1. Android Enterprise devices only supports the shortcut type.
  2. Shortcut icons may not be able to be created depending on the type of launcher set by the user.
  3. An administrator cannot delete the shortcut icon, but the user can delete it manually.

ShortCut image

Select a shortcut icon to be created on a user device.

Bookmark page URL

Enter a website address to go to when a bookmark is selected.

Bookmark name

Enter the bookmark name to be displayed as a title in the bookmark.

Certificate

You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. You can add more certificate policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each certificate setting.

Description

Enter a description for each certificate setting.

Install Area Specify where the certificate should be installed.

User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
  • When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.

    Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

Certificate Category

Select a certification category when EMM Management Certificate is selected in User certificate input method,

  • CA certificate: Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list.
  • User certificate: Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User will appear on the list.

Apps with Delegated Certificate Management

Add specific applications, which are installed on the device, to grant silent privileged access via a certificate while running.