Android Enterprise Policies

This section describes the policies you can configure for Android Enterprise devices.

Knox Manage supports the following four types of Android Enterprise devices:

Type	Description
Fully Managed	Controls the whole device.
Work Profile	Controls only designated work areas.
Fully Managed with Work Profile	Controls both the personal and work areas and applies different policies to each of them. Android 10 and lower.
Work Profile on Company-owned Device	Controls both the personal and work areas, and applies different policies to each of them. Android 11 and higher.

The availability of the policies vary depending on the enrollment type and the OS version. IT admins can choose to turn on the Highlight Work Profile on Company-owned Devices Profile Only setting to show the available policies highlighted in blue.

NOTE —

Some policies support only Samsung Galaxy devices.
Until Knox Manage 20.11, Knox Manage only supported Android Enterprise policies for device management. Starting with Knox Manage 21.1, for devices running a Work Profile on a company-owned device, Knox Manage now supports Knox policies.

Consider the following when configuring policies:

By configuring the device settings for a profile, you can automatically update devices without the need for any user action.
After Knox Manage is activated and policies are applied, the device settings are automatically updated. After an update, device users can view the status in the notification messages.

System

Provides backup and restore settings and other features. Updates the operating system on a device.

Policy

Description

Supported system

User Certificate Settings

Allows the setting of user certificates.

Android 6 and higher

Camera

Allows using the camera.

NOTE — If the device is activated as a Work Profile, the camera function only in the Work Profile is controlled.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Work Profile — Android 6 and higher

Screen capture

Allows screen captures.

NOTE — Starting with Android 12, system apps built with certain API permissions can capture the screen even if the device has screen capturing disabled by an EMM. This mostly affects preloaded system apps developed by device manufacturers. If you are unsure whether the preloaded apps on a deployed device have these permissions, you should verify with the device manufacturer.

Android 5+

System update

Allows setting if and how over-the-air (OTA) updates are applied to devices. Choose one of the following setting option:

Automatic — Automatically apply updates as soon as they become available.
Postpone — Postpone OTA updates for up to 30 days.
Windowed — Schedule OTA updates to occur at a specific time within a daily maintenance window. Use 24 hour format for time—[00:00-23:59]

Fully Managed — Android 6 and higher

Account Modification

Allows modification—addition or deletion—of the accounts added for each application.

Disallow — This policy restricts the addition or deletion of users even if the Add or Delete User policies are allowed.

Android 6 and higher

> Account Block/Allowlist

Specifies whether to define an allowlist or blocklist of app and service accounts that the device user can manage. When set, the Account List policy becomes either a blocklist or an allowlist.

CAUTION — If you change the value of this policy when the account list contains values, all values in the account list will be erased.

Only available if the Account Modification policy is set to Allow.

Values

Allowlist Setting — The account list is an allowlist.
Blocklist Setting — The account list is a blocklist.

Android 6 and higher

Account List

Specify the list of app and service accounts that the device user is allowed or blocked from managing. Accounts are specified as interfaces of Android package names, such as com.google.android.gm.pop3 for the POP3 account of the Gmail app. Managed Google Play accounts can't be modified, so adding them to this list when in allowlist mode has no effect. Only available if the Account Modification policy is set to Allow and the Account Block/Allowlist policy is set.

Values

To add an account, enter it and click add . To remove one, click delete .

Here are the account names of common apps:

App	Package name	Account name
Google Mobile Services	com.google.android.gms	com.google
Google Mobile Services	com.google.android.gms	com.google.android.gms.matchstick
Gmail	com.google.android.gm	com.google.android.gm.pop3
Gmail	com.google.android.gm	com.google.android.gm.exchange
Gmail	com.google.android.gm	com.google.android.gm.legacyimap
Samsung Experience Service	com.samsung.android.mobileservice	com.osp.app.signin
Samsung Experience Service	com.samsung.android.mobileservice	com.samsung.android.coreapps
Samsung Experience Service	com.samsung.android.mobileservice	com.samsung.android.mobileservice
Duo	com.google.android.apps.tachyon	com.google.android.apps.tachyon
NAVER	com.nhn.android.search	com.nhn.android.naveraccount
Facebook	com.facebook.katana	com.facebook.auth.login
Outlook	com.microsoft.office.outlook	com.microsoft.office.outlook.USER_ACCOUNT
OneDrive	com.microsoft.skydrive	com.microsoft.skydrive

Android 6 and higher

> Allow account in Google Play

Specifies which managed and unmanaged accounts on the device can make changes through Google Play. You can select Allow All for all accounts, Allow only MGP Account for just the Managed Google Play (MGP) account, or Allow MGP and Selected Accounts for the MGP account and an allowlist defined by the Account Allowlist policy.

Fully Managed — Android 6 and higher

> Account Allowlist

Specifies an allowlist of accounts on the device that can access Google Play.

Fully Managed — Android 6 and higher

VPN Setting

Allows the user to configure the VPN settings on the device.

Fully Managed — Android 6 and higher

Work Profile — Android 7 and higher

User Deletion

Allows deleting the added users.

Fully Managed — Android 6 and higher

Safe mode

Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Wallpaper Change

Allows both the device user and apps to change the wallpaper.

Values

Allow (default) — The wallpaper can be changed.
Disallow — The wallpaper can't be changed.

Android 7 and higher

Custom Wallpaper

Applies a custom wallpaper on the device.

Values

Apply to the home and lock screen respectively — Sets different wallpapers for the home and lock screens of the device.
NOTE — On Samsung devices running Android 10 or lower, the wallpaper gets applied to both the home and lock screens if you set this value to apply it to only the home screen.
Apply to the home and lock screen — Sets a wallpaper for both the home and lock screens of the device.

If this value is unset, no custom wallpaper is applied.

Android 7 and higher

> Wallpaper File

Specifies the custom wallpaper to apply to home and lock screens. Only available if the Custom Wallpaper policy is set to Apply.

Values

To add custom images, click upload .

The image file can be in BMP, GIF, ICO, JPG, JPEG, or PNG format and can't exceed 10 MB in size.

Android 7 and higher

External SD card

Allows using the external SD card.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

> Write to external SD card

Allows writing to an external SD card.

NOTE — If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.

Fully Managed — Samsung Knox 1.0 and higher

Factory reset

Allows a device factory reset.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

S Beam

Allows using Android Beam which transfers data using NFC.

NOTE — Android 10 and higher devices are not supported.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Create Window

Allows a window to be created and launched at the top when users use a multi-window transformed into a pop-up window or a split screen mode on the device.

Fully Managed — Android 6 and higher

Easter Egg

Allows executing the Easter Egg games on devices with specific actions.

Fully Managed — Android 6 and higher

Brightness Setting

Allows changing of the screen brightness level.

Fully Managed — Android 9 and higher

Always on Display

Allows the always on display feature that displays brief information on the lock screen, such as notifications or time.

Fully Managed — Android 9 and higher

System Error Screen

Allows an error dialog display function when an application shutdowns abnormally.

Fully Managed — Android 9 and higher

If compromised OS is detected

Select a measure to take when a compromised OS is detected.

Lock device — Locks the device.
Lock Email — Locks email use.
Factory reset + Initialize SD card — Simultaneously factory resets the user device and the SD card.
Factory reset — Resets the user device but not the SD card.

NOTE — The factory reset (only) function is unsupported in Android 2 and lower. To reset the device, select the Factory reset + Initialized SD card option.

Fully Managed — Android 6 and higher

Notifications when an Event is Set to On.

Set the device to display a notification when a device control event is applied.

User defined — Users can set event notifications on the device from the Settings menu of the Knox Manage agent.

Show notification — Displays the notification when an event for device control is applied.

Hide notifications — Hides the notification when an event for device control is applied.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Notifications when an Event is Set to Off.

Set the device to display a notification when an event for device control is disengaged.

User Defined — Users can set event notifications on the device from the Settings menu of the Knox Manage agent.
Show notification — Displays a notification when an event for device control is disengaged.
Hide notifications — Hides a notification when an event for device control is disengaged.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Fix Event Notification

Set the removal of notifications from the device Quick panel.

User Defined — Users can remove notification on the device from the settings menu of Knox Manage agent.

Disallow to Remove Notification — Users cannot remove notifications on the device Quick Panel.

Allow to Remove Notification — Users can remove notifications on the device Quick Panel.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Encryption for storage

Specifies the encryption of the device's internal storage or the external SD card.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

> Storage encryption

Check the check box to select the storage to be encrypted.

NOTE — External SD card encryption is applicable to Samsung Galaxy devices only.

Automatic Date and Time

Allows the device user to change the date and time settings. Select Enforce Time Zone to override the time zone and prevent the device user from changing it.

Fully Managed — Android 6 and higher

> Time Zone

Specifies the time zone. Only available if the Automatic Date and Time policy is set to Enforce Time Zone.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Language Setting

Allows the language setting policy.

Fully Managed — Android 9

Location Setting

Allows users to change the Location settings.

Disallow — Users cannot change the on/off setting of the device location.

IMPORTANT — As of 23.03, the Location Setting policy is disabled. It will be deprecated in a future release. Use the GPS policy instead.

Fully Managed — Android 9

Backup

Allows backup of the device data.

NOTE — If the backup function can be found on your device at Google > Backup, it may seem possible to turn the backup setting on or off, even if this policy is set to Disallow. However, the functionality of backup is prohibited, regardless of mobile UI, when the Backup policy is set to Disallow.

Fully Managed — Android 8 and higher

Set a Message for Blocked Settings

Enables a custom message to display when the device user taps or tries to use a disabled setting.

This policy has two sub-policies, one for a short message to display in most screens of the Settings app, and the other for a longer message to display in the device administrators screen of the Settings app.

Fully Managed — Android 7 and higher

> Short Message

Specifies the custom message to display when the device user taps or tries to use a disabled setting on the Settings app. Only available if the Set a Message for Blocked Settings policy is set to Apply.

Fully Managed — Android 7 and higher

> Long Message

Specifies the custom message to display when the device user taps or tries to use a disabled setting in the device administrators screen of the Settings app. Only available if the Set a Message for Blocked Settings policy is set to Apply.

Fully Managed — Android 7 and higher

Set a Message for Lock Screen

Enables a custom message on the device's lock screen. You can add lookup items to the message, which substitute for device and user information like username and phone number in the Android environment.

If the message contains only whitespace characters, then no lock message displays, and the user can't change it.

If this value is unset, the message only contains the user information, if it's available.

Fully Managed — Android 7 and higher

> Message

Specifies the custom message on the lock screen. Enter the message in the text field. Click Lookup to browse and select available lookup items to add to the message.

Fully Managed — Android 7 and higher

Interface

Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.

Policy	Description	Supported system
Printing	Allows the printing function.	Android 9 and higher
Autofill Service	Allows auto-completion of information that you enter on websites in the Android browser.	Android 8 and higher
Network Reset	Allows the network usage rest function on a set date. NOTE — For Android 7 and lower devices, this applies to Samsung devices (Knox1.0+) only.	Fully Managed — Android 6 and higher
Mobile Network Setting	Allows configuring the mobile network settings.	Fully Managed — Android 6 and higher
Allow Wi-Fi Change	Allows changing the Wi-Fi Settings.	Fully Managed — Android 6 and higher
Wi-Fi	Allow using Wi-Fi. If the Wi-Fi policy was not applied successfully, the device tries to apply it again 30 minutes after Knox Manage is activated. Allow — Allows using Wi-Fi Disable On — Disallows turning Wi-Fi on. It is turned off at all times. Disable Off — Disallows turning Wi-Fi off. It is turned on at all times.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher
> Wi-Fi Direct	Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection. NOTE— Set the Wi-Fi policy to Allow or Disable Off before using this policy. The direct connection of the two devices may cause the device function or the menu to be controlled, depending on the device type.	Fully Managed — Samsung Knox 1.0 and higher
Tethering Setting	Allows tethering Settings.	Fully Managed — Android 6 and higher
Bluetooth	Allows using Bluetooth. Allow — Allows turning Bluetooth on. Disable On — Disallows turning Bluetooth on.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher
> Desktop PC connection	Allows PC connection with the user's device using Bluetooth.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher
> Data transfer	Allows data exchanges with other devices using Bluetooth connection.	Fully Managed — Samsung Knox 1.0 and higher
> Search mode	Allows device search mode.	Fully Managed — Samsung Knox 1.0 and higher
Bluetooth Setting	Specifies the controls for the Bluetooth use.	Fully Managed — Android 8 and higher
Bluetooth Share	Allows Bluetooth sharing.	Fully Managed — Android 8 and higher
PC connection	Allows connecting user's device to PC.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher
USB Debugging	Allows the device user to enable USB debugging.	Work Profile — Android 6 and higher

Security

Configures the security settings, such as Play Integrity (SafetyNet Attestation), Multifactor authentication, and screen timeout.

Policy	Description	Supported system
SafetyNet Attestation	Allows checks to validate the integrity of the device.	Android 6 and higher
> Verification Interval (days)	Set an interval at which to assess the devices.
> Verification Failure Policy (During Enrollment)	Select a measure. Admin Alert — Sends an alert to the administrator. Unenrollment (Factory Reset) (for DO only)—Unenrolls the device and performs a factory reset. Unenrollment (for PO only)—Unenrolls the device.
> Verification Failure Policy (After Enrollment)	Select a measure. Admin Alert — Sends an alert to the administrator. Lock device (for DO only)—Locks the device. Unenrollment (Factory Reset) (for DO only)—Unenrolls the device and performs a factory reset. Unenrollment (for PO only)—Unenrolls the device.
Maximum screen timeout	Set the maximum time limit that a user can linger before screen timeout.	Fully Managed — Android 6 and higher, Samsung Knox 2.0 and higher
Enforce Multi-factor Authentication	Enable multifactor authentication (2FA) that unlocks a device only after two authentication methods are provided, including one biometric input—face, iris, or fingerprint—and one lock screen method, such as PIN, password, or pattern. NOTE — Incorrect use of this policy together with One Lock and Biometric policy can lock your device.	Fully Managed — Samsung Knox 3.0 and higher
Screen Timeout	Specify whether to allow the user to control the screen lock time setting.	Fully Managed — Android 9.0 and higher

Password

Configures password and device lock screen settings.

Policy	Description	Supported system
Password	Set the device's lock screen type and minimum quality. Use of the camera is prohibited when the device is locked. You can set up to two lock screen policy sets: Device Controls — The lock screen settings for the personal area of the device. Work Profile Controls — The lock screen settings for a device's Work Profile. After the Work Profile is set up, the device user is directed to set a lock screen. IMPORTANT — For the Fully Managed type and the Fully Managed with Work Profile type, if the strength of the lock screen is lower than the requirements of the policy, the device is locked through the Lock Task mode. The device user can't use any other functions until they set a lock screen. If the device user creates a lock screen for the Work Profile that does not comply with the password policy's requirements, all apps on the Work Profile—except essential apps like Knox Manage—are suspended. Suspending the apps, as opposed to just hiding them, offers greater security since unauthorized users cannot gain access to any Work Profile data. If the device is using a One Lock password and the policy for the personal area and Work Profile are configured differently, the stronger password policy is applied. During enrollment of company-owned devices with a Work Profile, the Knox Manage agent prompts the device user to set locks for the personal profile and Work Profile. If the device is rebooted before the locks are set, Managed Google Play functionality might be inhibited or the device might become bricked. For more details and remedies, see How to enforce a password policy during enrollment for company-owned devices with a Work Profile. TIP — If a user forgets their password and contacts you, you should send the device command to reset the password and guide them to enter the temporary password. For more information about this procedure, see Viewing the device details.
> Minimum Complexity (Android 12 or higher)	Set the minimum lock screen complexity. There are four complexity levels, each pre-defined by the Android API. The device user must use a lock screen that meets or exceeds the minimum level. Set the minimum complexity level of the lock screen: N/A — No restrictions on the lock screen. Low — A pattern or PIN, with repeating (4444) and ordered (1234, 4321, 2468) sequences allowed. Medium — A PIN without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 4 or more characters. High — A PIN with 8 or more characters, without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 6 or more characters.	Fully Managed — Android 12.0+ Work Profile — Android 12.0+ Personal area — Android 12.0+
> Minimum Strength (Android 11 or earlier)	Set a minimum strength level for the lock screen: Weak Biometric — A biometric recognition method. Pattern — A pattern. Numeric — A PIN. Numeric Complex — A pin with no repeating (4444) or ordered (1234, 4321, 2468) sequences. Alphabetic — A password with letter characters. Alphanumeric — A password with alphanumeric characters. Complex — A password with alphanumeric and special characters. NOTE — The password strength increases in the following ascending order — Weak Biometric < Pattern < Numeric < Numeric Complex < Alphabetic < Alphanumeric < Complex.	Fully Managed — Android 6-11 Work Profile — Android 6-11 Personal area — Android 7-11
>> Minimum Length	Set the minimum length of the password. The value can be between 4-16 characters for Numeric or Alphanumeric strength levels. The value can be between 6-16 characters for the Complex strength level.
>> Minimum Number of Letters	Set the minimum number of letter characters in the password. The value can be between 1-10 characters.
>> Minimum Number of Non-letters	Set the minimum number of numeric and special characters required in the password. The value can be between 1-10 characters.
>> Minimum Number of Lowercase Letters	Set the minimum number of lowercase letter characters required in the password. The value can be between 1-10 characters.
>> Minimum Number of Capital Letters	Set the minimum number of uppercase letter characters required in the password. The value can be between 1-10 characters.
>> Minimum Number of Numeric Characters	Set the minimum number of numeric characters allowed in the password. The value can be between 1-10 characters.
>> Minimum Number of Special Characters	Set the minimum number of special characters required in the password. The value can be between 1-10 characters.
> > Maximum Length of Sequential Numbers	Set the longest string of sequential numbers (1234, 4321, 2468) allowed in the password. The value can be between 1-10 characters.	Devices secured by Samsung Knox
> > Maximum Length of Sequential Characters	Set the longest string of sequential characters (abcd, dcba, aceg) allowed in the password. The value can be between 1-10 characters.	Devices secured by Samsung Knox
> Password Lifecycle Settings (Android 6 or higher)	These settings define rules about how the lock screen changes over time, such as user changes to the lock screen, expiration, and minimum login parameters.	Fully Managed — Android 6+ Work Profile — Android 6+ Personal area — Android 7+
>> Password History (times)	Set the minimum number of new passwords that must be used before a user can reuse a previous password. For example, if the password is Knox123! and the Password History (times) is 10, the user must use ten other passwords before they can reuse Knox123!. The value can be between 1-10 times.
>> Password Expiration Timeout (Days)	Set the number of days before the password must be reset. The value can be between 1-365 days.
>>> When to Send Notification Before Expiration (Fully Managed)	Set the number of days before password expiry when the notification must be sent out for fully managed devices. The value can be 1, 3, 5, or 7 days.
>>> When to Send Notification Before Expiration (Work Profile)	Set the number of days before password expiry when the notification must be sent out for work profile devices. The value can be 1, 3, 5, or 7 days.
>> Maximum Failed Login Attempts	Set the maximum number of incorrect password attempts before access is restricted. You can set this only with Numeric, Alphanumeric, or Complex password strength. The value can be between 0-10 times.
>>> If the Maximum Failed Login Attempts Are Exceeded	Choose an action to perform on a Fully Managed device when the maximum number of failed unlock attempts is reached: Lock device — Locks the device. Factory reset + Initialize SD Card — Factory resets the device and the SD card. Factory reset — Factory resets the device.	Fully Managed — Android 6 and higher
>>> If the Maximum Failed Login Attempts Are Exceeded	Select an action to perform when the maximum number of failed unlock attempts is reached: Factory Reset or Remove Work Profile — If the device is company-owned, it factory resets. If the device is personally-owned, the Work Profile is removed.	Work Profile — Android 6 and higher Company-owned — Android 7 and higher
>> If Password Compliance is Violated	Choose an action to perform when a password does not comply with requirements: Personal area: Lock Device — The device is locked (Fully Managed devices only). No Action — No action is taken. Work Profile: Suspend Work Apps — Apps in the Work Profile are suspended. Suspend Work and Personal Apps — All apps are suspended (corporate owned with Work Profile devices only). No Action — No action is taken.
> KeyGuard (Block Functions on Lock Screen)	Choose which features and functionality to block when the screen is locked. Fully Managed devices: Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added. Fingerprint — Blocks screen unlock through fingerprint scanning. Iris — Blocks screen unlock through iris scanning. Face — Blocks screen unlock through face scanning. Camera — Blocks camera control. Previews in Pop-ups (Fully Managed, Fully Managed With Work Profile) — Hides content in app notifications on the lock screen. Notification (Fully Managed, Fully Managed With Work Profile, Work Profile on Company-Owned) — Hides all app notifications on the lock screen. Devices with a Work Profile: Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added. Previews in pop-ups — Hides content in app notifications on the lock screen. Fingerprint — Blocks screen unlock through fingerprint scanning. Face — Blocks screen unlock through face scanning.	Fully Managed — Android 5+ Work Profile — Android 7+ Personal area — Android 7+

Kiosk

Configures Kiosk applications on a Kiosk device and controls the device settings.

Policy	Description	Supported system
Screen on when Plugged in	Enable this feature to set the device screen on when charging using any of the following options:
> Screen on when Plugged into Charger	Select the option to apply the policy: AC Charger USB Charger Wireless Charger Multiple selection is possible.
Kiosk app settings	Select a Kiosk feature to use on a device. Single App Mode — Runs a single application on the device's home screen. Multi App Mode — Runs multiple applications that are developed using the Kiosk Wizard. Web Mode — Opens webpages that are specified by the administrator. NOTE— Single-app kiosks are not available with non-Samsung Android Enterprise Fully Managed (DO) devices that are running Android 6-8.0. Knox Manage provides Single-app kiosks with Google managed applications for Android Enterprise devices with version 9.0 (Pie) and higher.	Fully Managed — Samsung Knox 1.0 and higher Non-Samsung Fully Managed — Android 9 and higher
> Set application	Click Add to select Kiosk applications from the list or click New to create a Kiosk App.
> Set Kiosk Browser	When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser is automatically selected.
> Default URL	Set the home page of the Kiosk Browser. Values Enter a URL. Click Lookup to browse and select available lookup items to include in the URL.
App Auto Update	Set the Kiosk Browser to be updated automatically.
> Screen Saver	Use the screen saver for the Multiple App kiosk and the Kiosk Browser. When no user activity is sensed for a certain amount of time set in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files are activated on the device display. NOTE — The Screen Saver for the Kiosk Browser only runs while the device is charging.
>> Screen Saver Type	Select either an image or video type screensaver.
>>> Image	Select image files for the screen saver. You can add up to 10 image files in the PNG, JPG, JPEG, or GIF format (animated files are not supported). Each image file must be less than 5 MB. To upload an image file, click Add and select a file. To delete an image file, click next to the name of the uploaded image file. NOTE — The device control command must be transferred to the device to apply an image file to it.
>>> Video	Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB. To upload a video file, click Add and select a file. To delete a video file, click next to the name of the uploaded video file. NOTE — The device control command must be transferred to the device to apply a video to it.
> Session timeout	Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL: Apply — Enables the session timeout feature for the browser.
>> Time (sec)	Set the session timeout in seconds for the Kiosk Browser. The value can be between 10 - 3600 secs (default is 1800).
> Text Copy	Allow the copying of text strings in the Kiosk Browser.
> Javascript	Allow the running of the JavaScript contained in websites.
> Http Proxy	Allow the use of an HTTP proxy for communications in the Kiosk Browser.
>> IP/Domain:Port	Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.
> User agent settings key value	Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header. NOTE — User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.
> File Upload	Allows the user to upload files to websites through the Kiosk Browser. Disallow is the default value.
Delete Kiosk app when policy is removed	Allows to delete applications along with policies from a device when the applied policy is deleted.	Fully Managed — Samsung Knox 1.0 Non-Samsung Fully Managed — Android 9
Prohibit hardware key	Allows the use of the hardware keys.
> Disallow hardware keys	Select hardware keys to disable. The availability of Hardware keys can vary by device If you do not allow the use of the Task Manager, then it does not run, even if the user taps the left menu key in the Navigation bar at the bottom of the device.	Fully Managed — Samsung Knox 1.0 and higher
Utilities setting	Allows the use of specific features on Kiosk mode devices.	Fully Managed — Android 9
> Power	Allows the use of the Power button to turn off or restart the device.
> Recent apps	Allows the use of the Recent task button. The Home button also needs to be allowed to use the Recent task button.
> System status bar	Allows the use of the system status bar, which displays the time, network connectivity, and battery status. NOTE — For Android P and higher devices, you must allow the notification bar as well to enable the system status bar.
> Notification bar	Allows the access to the notification bar. If this policy is set to Allow, the Home policy is allowed automatically.
> Home	Allows the use of the Home button on the device.
> Key guard	Allows the screen lock policy to be applied to the device. If it is set to Disallow, users can access the Kiosk device without a screen lock password, regardless of the screen lock policy of the device.

Application

Configures options for application controls such as installation, verification, and permission.

Policy	Description	Supported system
Installation of App from Untrusted Sources	Allows the installation of apps from untrusted sources instead of just the Google Play Store.	Fully Managed — Android 6 and higher Work Profile — Android 6 and higher
Skip App Tutorial	Allows the users to skip application tutorials.	Android 6 and higher
App Control	Allows application control from the settings application. The following actions can be configured: Delete / Execute / Prevention / CACHE Removal / Data Removal / Focused Exit / Default App Removal.	Fully Managed — Android 6 and higher
App Installation	Allows application installation.	Fully Managed — Android 6 and higher Work Profile — Android 6 and higher
App Uninstallation	Allows application uninstallation.	Fully Managed — Android 6 and higher Work Profile — Android 6 and higher
App Verification	Allows application verification using Google for all device applications.	Fully Managed — Android 6 and higher Work Profile — Android 5 - 7.1
App Permission	Allows application runtime permission settings for all areas. Prompt — Prompts users to grant or deny permissions. Grant — Grants all relevant permissions. Deny — Denies all relevant permissions. NOTE — This policy applies to all applications.	Android 6 and higher
> App permission exception policy list	Add individual application. Set different permission policies for each application. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application. NOTE— This policy takes priority over the App Permission policy when both are applied. Among the application permissions, only the dangerous permissions can be added to this policy. For more information, see https://developer.android.com/guide/topics/permissions/overview.	Android 6 and higher
App Execution Blocklist Setting	Set to prevent the execution of the device applications.
> App execution blocklist	Add applications to prevent their execution. Icon of the blocked application disappears and users cannot run the application. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application. NOTE — An application that has been added on the App download allowlist policy cannot be added.	Android 6 and higher
App uninstallation prevention list Setting	Set to prevent the uninstallation of the device application.
> Application uninstallation prevention list	Add applications to prevent their uninstallation. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application.	Android 6 and higher
System App Activation Setting	Set to activate hidden system applications for Android Enterprise devices to view. If a device is activated with Android Enterprise, only designated applications appear on the device. NOTE — Applications cannot be activated if they are listed under the Application installation block list.
> System App Activation	Add system applications to be activated. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application.	Android 6 and higher
App Delegation Scope Management	Enables delegated scopes for apps, which is a device policy controller function that grants elevated API and policy control to an app. An app with delegated scopes can dictate policies and configuration settings to other apps. Values Allow — Enables delegation scopes. If this value is unset, then delegation scopes are disabled.	Android 8 and higher
> App Delegation Scope	Configures delegated scopes for apps. Each configuration targets an app with a profile in the Knox Manage tenant and assigns scopes to it. You can only manage one delegation configuration per app. Only available if the App Delegation Scope Management policy is set to Apply. Values To assign delegated scopes to an app: Click Select, then choose an app from the list in the Select Application window. Select scopes to assign to the app from the Delegation Scopes list. Click to add the configuration. For a complete list of compatible scopes, see Supported delegation scopes. To remove the delegated scopes for an app: Click next to the configuration.
App Prevented from Using Mobile Data Setting	Enables blocking apps from using mobile data on the device. When this policy is enabled, the app can only transfer data over the main Wi-Fi connection. Data from tethered and hotspot Wi-Fi connections isn't available.	Android 10 and higher
> Prevent Apps from Using Mobile Data	Specifies a blocklist of apps that can't use mobile data. Only available if the App Prevented from Using Mobile Data Setting policy is set to Apply. Values To add apps, click Add, then search for and select one or more apps. To remove an app, click .	Android 10 and higher
Allowlisting Apps Allowing External SD Card Setting	Allows the use of an external SD card. The external SD card cannot be used by default. Supported devices: (SDK or API): Samsung (Knox 2.2 and higher)
> Allowlisted apps for external SD card	Add applications that can use an external SD card. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application.
App Download Block/Allowlist Setting	Configure allowlist and blocklist policies to restrict the use of personal Google Play accounts and installation of personal apps on devices. IMPORTANT — These policies apply to apps downloaded from managed Google Play only, apps that are already installed or are directly installed using APKs are not impacted. For already installed apps, use the previously set up app blocklist and allowlist policy. NOTE — This policy is only supported on Fully Managed company-owned devices. Supported devices: (SDK or API): Android 11.0 and higher
> App Download Blocklist	Add apps to the blocklist, restricting users from downloading or installing these apps to the target devices. To add apps to the blocklist: Single app — In the App Download Block/Allowlist Setting list > select App Download Blocklist > click Add > click to select the check box for the appropriate app, and then click OK. All apps — In the App Download Block/Allowlist Setting list, select App Download Blocklist > click Add all.
> App Download Allowlist	Add apps to the allowlist which lets users download and install these apps to the target devices. To add apps to the allowlist: In the App Download Block/Allowlist Setting list > select App Download Allowlist > click Add > click to select the check box for the appropriate app, and then click Add.
Work and Personal Apps Connection Setting	Specify whether the app can communicate with itself across two different profiles, subject to user consent.	Work profile - Android 11.0 and higher

Supported delegation scopes

The supported delegation scopes are:

Scope	Supported system
Management of uninstalled packages	Fully Managed — Android 9 and higher Fully Managed with Work Profile — Android 9 and higher
Installing existing packages	Fully Managed — Android 9 and higher Fully Managed with Work Profile — Android 9 and higher
Selection of key chain certificates	Android 10 and higher
Network logging	Fully Managed — Android 10 and higher Work Profile — Android 12 and higher
Security logging	Fully Managed — Android 12 and higher Work Profile on company-owned — Android 12 and higher
Certificate installation and management	Android 9 and higher
Managed configurations management	Android 9 and higher
Blocking uninstallation	Android 9 and higher
Permission policy and permission grant state	Android 9 and higher
Package access state	Android 9 and higher
Enabling system apps	Android 9 and higher

Location

Allows the use of GPS or location data collection from a device.

Policy	Description	Supported system
GPS	Configure the location settings on the device. User Choice — Allows the device users to access and enable or disable GPS. Enforced — Enables GPS on devices running Android 9 or higher. This option is available only for device controls. Disable — Disables GPS on the device. NOTE — The GPS policy replaces the Location Setting policy.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher Work Profile — Android 6 and higher
Report device location	Allows collecting location data. NOTE — For Note 8 devices running the N OS, the Geofencing area radius size set in the admin console unit is recognized in miles not meters. User consent — Allows location data collection only with the user's consent. NOTE — If the Fully Managed with Work Profile type is used, location data from devices is collected based on the Report Device Location value, which is specified in the Fully Managed Device policy.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher Work Profile — Android 6 and higher
> Report device location interval	Set an interval period to save the location data of the device. NOTE — To set the collection interval, select either Allow or User consent for the Report device location policy.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher Work Profile — Android 6 and higher
High Accuracy Mode	Set to use for collecting accurate GPS locations of the devices.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher Work Profile — Android 6 and higher

Phone

Configures the phone settings, such as airplane mode, the microphone settings, and the cellular network settings.

Policy	Description	Supported system
Airplane mode	Allows the use of airplane mode.	Fully Managed — Android 9 and higher, Samsung Knox 2.0 and higher
Cell Broadcast Setting	Allows the use of emergency broadcast settings. The carrier can send a same message, such as an emergency alert, to the devices connected to the same cellular base station.	Fully Managed — Android 6 and higher
Volume Adjustment	Allows adjusting the volume.	Fully Managed — Android 6 and higher
Microphone	Allows the use of the microphone.	Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher Work Profile — Samsung Knox 1.0 and higher
> Recording	Allows recording with the microphone.	Samsung Knox 1.0 and higher
> S Voice	Allows the use of S Voice.	Fully Managed — Samsung Knox 1.0 and higher
Voice Call (except Samsung Device)	Allows the use of voice calls. NOTE — To control Samsung devices, use the Prohibit voice Call policy.	Fully Managed — Android 6 and higher
SMS (except Samsung Device)	Allows the use of text messages.	Fully Managed — Android 6 and higher
Data connection during roaming	Allows a data connection while using roaming service.	Fully Managed — Android 7 and higher, Samsung Knox 1.0 and higher

Container

Allows data transfers within the Work Profile or with other devices.

Policy	Description	Supported system
Copy and Paste Clipboard per Profile	Allows copying and pasting with the clipboard between the personal and work areas.	Work Profile — Android 7.1 and higher
Phone Book Access Profile (PBAP) via Bluetooth	Allows sharing contacts from the Profile Owner to the connected device using Bluetooth. NOTE — Before you use this policy, set the Bluetooth share policy to Allow.	Work Profile — Android 8.0 and higher
Set a Message for Profile Wipe	Allows IT admins to set a custom message to warn the user when the data on the Work profile is being wiped.	Work Profile — Android 9.0 and higher
Set a Maximum Period for Profile Turned off	Allows IT admins to specify a time period for which the device users are allowed to turn off Work profiles on their WP-C devices. The following two options are available: Days (between 3 to 30 days) Hours (between 72 and 720 hours) Users of WP-C devices are allowed to turn off the Work profile on their devices. If the device user does not restart the Work profile, all Personal apps—outside of emergency calls and a few other important apps—are suspended. The device users see a notification on their device alerting them as to the reason for suspension of personal apps.	Work Profile — Android 11.0 and higher

Factory Reset Protection

Configures the security policy to prevent unauthorized use of a device after a factory reset.

You can set up a factory reset protection policy for Android Enterprise devices. This policy allows you to prevent the unauthorized use of an organization's devices using a special validation method for unlocking them after a factory reset.

NOTE — Currently, this policy is only supported in Fully Managed and Work profile on company-owned Devices. This policy is not supported for Work Profile on personally-owned devices.

Policy	Description	Supported system
Factory Reset Protection	Enables factory reset protection. When this security measure is enabled, if the device undergoes a factory reset it can't be reactivated without the previous user's Google Account. Values Allow — Enables factory reset protection for all devices that use this profile. Disallow (default) — Disables factory reset protection. To enable factory reset protection: Set the value to Allow. For the the Google Account ID field, enter the email address of Google Account that will protect the devices that use this profile. This account must be appropriate for use by support providers. CAUTION — As this account email and password might be shared with support providers, do not use your Google Account associated with Android Enterprise. Click Go to Google API Webpage to generate user ID. The people.get operation page from Google's People API reference opens. If you haven't already, sign in to the Google Account you specified earlier. In the Try this method dialog, enter: resourceName field — people/me personalFields field — metadata Click EXECUTE. You might be prompted to grant permission for the Google APIs Explorer to access the Google Account. If so, click Allow to grant all access. A 200 OK message shows, which contains the account's detailed information as JSON values. Copy the value of the ID field in the message. Back on the Knox Manage console, paste the copied ID value in the Google User ID field. Click .

Policy

Description

Supported system

Factory Reset Protection

Enables factory reset protection. When this security measure is enabled, if the device undergoes a factory reset it can't be reactivated without the previous user's Google Account.

Values

Allow — Enables factory reset protection for all devices that use this profile.
Disallow (default) — Disables factory reset protection.

To enable factory reset protection:

Set the value to Allow.
For the the Google Account ID field, enter the email address of Google Account that will protect the devices that use this profile. This account must be appropriate for use by support providers.

CAUTION — As this account email and password might be shared with support providers, do not use your Google Account associated with Android Enterprise.
Click Go to Google API Webpage to generate user ID. The people.get operation page from Google's People API reference opens.
If you haven't already, sign in to the Google Account you specified earlier.
In the Try this method dialog, enter:
- resourceName field — people/me
- personalFields field — metadata
Click EXECUTE.
- You might be prompted to grant permission for the Google APIs Explorer to access the Google Account. If so, click Allow to grant all access.
A 200 OK message shows, which contains the account's detailed information as JSON values.
Copy the value of the ID field in the message.
Back on the Knox Manage console, paste the copied ID value in the Google User ID field.
Click .

Knox Browser

Configures the Knox Browser app. If you enable Knox Browser on a device, the Knox Browser app is automatically installed right after the Knox Manage agent is enrolled.

Knox Browser is a web browser that you can configure to be highly secure. It is available to users who have a Knox Suite license. If you enable Knox Browser on a device, the Knox Browser app is silently installed right after the Knox Manage agent is enrolled, as shown in this image.

NOTE — This is a Premium feature. To be able to use it, the device must be enrolled under a Knox Suite license.

Policy	Description	Supported system
Knox Browser App	Enables the Knox Browser app. Values Use — Enables the Know Browser app on the device. If this value is unset, then the Knox Browser app can't be installed on the device.	Knox Platform for Enterprise Premium
Homepage URL	Sets the home page of the Knox Browser app. If set, the user can't change the home page. This is a required value for deploying the Knox Browser. Only available if the Knox Browser App policy is set to Use. Values Enter a URL. Click Lookup to browse and select available lookup items to include in the URL.	Knox Platform for Enterprise Premium
App Auto Update	Determines whether the Knox Browser app automatically updates. If enabled, the browser also updates when the profile is pushed to the device. Only available if the Knox Browser App policy is set to Use. Values Use — Enables automatic Knox Browser updates. Do Not Use — Disables automatic Knox Browser updates.	Knox Platform for Enterprise Premium
Hide URL	Hides the address bar. Only available if the Knox Browser App policy is set to Use. Values Use — Hides the address bar. Prevents access to websites other than the default Homepage URL, and blocks file downloads. Do Not Use (default) — Displays the URL address bar.	Knox Platform for Enterprise Premium
URL Control Type	Configure whether to restrict access to URLs. The restriction list is defined by the URL Control List policy. Only available if the Knox Browser App policy is set to Use. Allowlist — Knox Browser uses an allowlist to restrict access to specified sites. Blocklist — Knox Browser uses a blocklist to restrict access to specified sites. If this value is unset, then URLs aren't restricted.	Knox Platform for Enterprise Premium
URL Control List	Enter the URLs to allow or block, as determined by the URL Control Type policy. Only available if the Knox Browser App policy is set to Use and the URL Control Type is set to Allowlist or Blocklist. Values To add a URL, enter it and click . To remove one, click . The wildcard () token is supported in the sub-domain and path. For example: https://.example.com https://corp.example.com/*	Knox Platform for Enterprise Premium
Link URL to Other Apps	Enables URLs with web intents, which, when opened, can download and launch apps on Android. Only available if the Knox Browser App policy is set to Use. Knox Browser supports intent schemes like the following: intent://... — Launches the app package specified in the URL scheme. market://... — Downloads the specified app package from Google Play Store. Values Allow (default) Disallow	Knox Platform for Enterprise Premium
Cookies	Allows web pages viewed on Knox Browser to store cookies on the device. Only available if the Knox Browser App policy is set to Use. Values Allow (default) Disallow	Knox Platform for Enterprise Premium
File Download	Enables file downloads on Knox Browser. Only available if the Knox Browser App policy is set to Use. Values Allow (default) Disallow — Blocks downloads. If you set the Hide URL policy to Use, file downloads are blocked automatically.	Knox Platform for Enterprise Premium
File Upload	Allows the device user to upload files to web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use. Values Allow (default) Disallow	Knox Platform for Enterprise Premium
Text Copy	Allows the device user to copy text from web pages viewed on Knox Browser. Only available if the Knox Browser App policy is set to Use. Values Allow (default) Disallow	Knox Platform for Enterprise Premium
Screen Capture	Allows the device user to take screenshots of web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use. Values Allow (default) Disallow	Knox Platform for Enterprise Premium
Bookmark	Defines a collection of bookmarks to push to Knox Browser. Only available if the Knox Browser App policy is set to Use. Values To add a bookmark, enter a name for it and its URL, then click . To remove a bookmark, click .	Knox Platform for Enterprise Premium
Text Scaling	Forces changing the text size on web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use. Values Use — Adjusts the text size to the scale set by the Text Scaling > Ratio policy. Do not use — The text size defaults to 100%, and the user can't change it. If this value is unset, then the text size defaults to 100%, and the device user can change it.	Knox Platform for Enterprise Premium
> Ratio	Specifies the scale of the text size on Knox Browser. Only available if the Knox Browser App and Text Scaling policies are set to Use. Values To set the scale, adjust the slider. The slider has a range of 50–200% and moves in 5% increments.	Knox Platform for Enterprise Premium
Force Enable Zoom	Forces changing the zoom level of web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use. Values Use — Adjusts the zoom level to the scale set by the Force Enable Zoom > Ratio policy. Do not use — The zoom level defaults to 100%, and the user can't change it.	Knox Platform for Enterprise Premium
> Ratio	Specifies the zoom level of web pages on Knox Browser. Only available if the Knox Browser App and Text Scaling policies are set to Use. Values To set the scale, adjust the slider. The slider has a range of 100–200% and moves in 10% increments.	Knox Platform for Enterprise Premium

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

Click add to add a configuration. You can add or edit up to 50 configurations when you save the profile.

Wi-Fi configuration is not applied to the Work Profile area of devices.

For devices enrolled as Fully Managed with Work Profile, the Wi-Fi configuration is applied only to the Fully Managed area of the device.
For device enrolled as Work Profile, the Wi-Fi configuration is not applied.

In addition to the general considerations applicable to all policies, consider the following when creating a Wi-Fi configuration:

If a device user deletes the initial auto-applied configuration, the deleted configuration is automatically re-applied when the device is rebooted.

Policy	Description	Supported system
Configuration ID	Assign a unique ID for each Wi-Fi setting.
Description	Enter a description for each Wi-Fi setting.
Network Name (SSID)	Enter an identifier of a wireless router to connect to. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Remove available	Allows users to delete the Wi-Fi settings.
Automatic Connection	Controls whether the device automatically connects to this network. Values Use — Forces the device to set this network as default and connect to it when Wi-Fi is turned on. Do Not Use — This network configuration is pushed to the device, but the device user chooses which networks to connect to.
Hidden Network	Allows to hide the network from the list of available networks on the device. The SSID does not broadcast.
Security type	Specifies the access protocol used and whether certificates are required.
> WEP	Set a WEP KEY index from WEP KEY 1 to 4.
> WPA/WPA2-PSK	Enter a password. You can enter up to 100 characters for the password.
> 802.1xEAP	Configure the following items: EAP Method — Select an authentication protocol from between PEAP and TTLS. 2-step authentication — Select one from PAP, MSCHAP, and MSCHAPV2 as a secondary authentication method. User information input method — Select an input method for entering user information. Manual Input — Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. Connector interworking — Choose a connector from the User information Connector. User Information — Use the user information registered in Knox Manage to access Wi-Fi. External ID — Assign an external ID for Manual Input. User certificate input method — Select a user certificate confirmation method. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see External certificates.
CA certificate	Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root are included on the list.
Proxy configuration	Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.
> Manual	Configure the proxy server manually. Proxy host name — Enter the host name of the IP address of the proxy server Proxy port — Enter the port number used by the proxy server Proxy exception — Enter the IP address or domain address that cannot be accessed through the proxy server. If server authentication is required to use the proxy server, check the Server authentication check box. User name — Enter the username for the proxy server. Password — Enter the password for the proxy server.
> PAC automatic configuration	Configure the proxy server automatically. You should enter the PAC web address, the URL of the PAC file that automatically determines which proxy server to use.

VPN

Configures a VPN (Virtual Private Network) on Android Enterprise devices.

You can configure the VPN settings to connect to a private network through a public network. Click add to add a configuration. Only the Pulse Secure VPN type can be configured for Android Enterprise devices.

You can add or modify only one configuration when you save the profile.

Policy	Description	Supported system
Configuration ID	Assign a unique ID for the VPN setting.
Description	Enter a description for the VPN setting.
VPN type	The VPN type is set to Pulse Secure by default and you cannot change it.
Always On VPN	Creates a VPN connection when the device starts and maintains it while the device is turned on.
Server URL	Enter the URL of the VPN server.
Authentication Type	Select an authentication type for the VPN connection between Password, Certificate, and both.
User name	Enter the user ID for the VPN connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Password	Enter the password for the VPN connection.
Identity Certificate	Select a certificate to identify itself to its peer.
Route Type	Set to use the VPN settings for the entire device or for selected applications.
> Apps to use VPN Configuration	Select applications to allow or disallow from using the VPN. To add an application, click Allowlist Apps or Blocklist Apps, click Add, and then select applications in the Select Application window.

Bookmark

Configures the bookmark settings, such as the configuration ID and installation area. For Android Enterprise devices, a shortcut to the bookmarked address of a specific URL is created on the home screen of the device, not in the web browser.

Click add to add a configuration. You can add or edit up to 100 configurations when you save the profile.

In addition to the general considerations applicable to all policies, consider the following when configuring bookmarks:

If a device user deletes the initial auto-applied configuration, the deleted configuration is automatically re-applied when the device is rebooted.
If you configure multiple policies under a policy group, the device user must apply the policy settings manually.

NOTE —

Only the device user can delete the shortcuts manually.
Deleting a bookmark policy from the Knox Manage agent can render different effects based on the OS version. In both cases, manual deletion by the device user is recommended:
- Android Pie (9.0) — Shortcuts still appear grayed out on the home screen.
- Android Oreo (8.0) — Shortcuts are not removed.

Policy	Description	Supported system
Configuration ID	Assign a unique ID for each bookmark setting.
Description	Enter a description for each bookmark setting.
Installation area	Specifies a location to install the bookmark. Shortcut — Creates a shortcut of the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher. Android Enterprise devices only support the shortcut type. Shortcut icons may not be able to be created depending on the type of launcher set by the user. An administrator cannot delete the shortcut icon, but the user can delete it manually. NOTE — For Android 8 and higher, you must install the bookmark shortcuts manually. Bookmark shortcuts are automatically installed for Android versions lower than 8.0.
Shortcut image	Select a shortcut icon to be created on a user device.
Bookmark page URL	Enter a website address to go to when a bookmark is selected.
Bookmark name	Enter the bookmark name to be displayed as a title in the bookmark.

APN

Configures the device's Access Point Name (APN) settings for cellular data connectivity.

Click add to add a configuration. You can add or edit up to 20 configurations when you save the profile.

In addition to the general considerations applicable to all policies, consider the following when creating an APN configuration:

If a device user deletes the initial auto-applied configuration, the deleted configuration is automatically re-applied when the device is rebooted.
If you configure multiple policies under a policy group, the device user must apply the policy settings manually.

IMPORTANT —

If you configure one APN, then the APN configuration automatically applies when the profile is pushed to a device. However, if you configure multiple APNs, none of them apply automatically, and the device keeps its default APN. If multiple APNs are available but a specific one is required, instruct the device user to apply it using the Knox Manage agent.
If you're configuring an APN for a Samsung device running Android 11 and lower, don't configure an APN for both the Android Enterprise profile and Samsung Knox profile types. Configure it for only one.

Policy	Description	Supported system
Configuration ID	Specifies the name of the APN configuration. Each configuration name must be unique. Values Enter a name.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Description	Specifies the description of the APN configuration. Values Enter a description.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Remove available	Toggles whether the device user can delete the APN. Values Allow (default) Disallow	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Access Point Name (APN)	Specifies the name of the APN, which is comprised of the network identifier and optional operator identifier. Values Enter a name.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Access Point Type	Specifies which connection services to allow for this APN. Values Default — Allows all services. Also known as unspecified. MMS — Allows only the Multimedia Messaging Service (MMS). Supl — Allows only the Secure User Plane Location (SUPL) service, which is an IP-based protocol that uses GPS for device geolocation.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Mobile Country Code (MCC)	Specifies the MCC of the APN. Values Enter a 3-digit MCC. Click Lookup to browse and select available lookup items to include in the MCC.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Mobile Network Code (MNC)	Specifies the carrier's MNC for the APN. Values Enter a 2- or 3-digit MNC. Click Lookup to browse and select available lookup items to include in the MNC.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
MMS Server (MMSC)	Specifies the address of the carrier's MMS server. Values Enter a URL.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
MMS Proxy Server	Specifies the address of the carrier's MMS proxy server. Values Enter an IP or domain.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
MMS Proxy Server Port	Specifies the port of the carrier's MMS proxy server. Values Enter a port.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Proxy Server	Specifies the address of the carrier's WAN proxy server. Values Enter a URL.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Proxy Server Port	Specifies the port of the carrier's WAN proxy server. Values Enter a port.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Access Point Username	Specifies the account username to use when connecting to the APN. Values Enter a username. By default, the field contains the ${UserName} lookup item, which substitutes for the username associated with the device in Knox Manage.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Access Point Password	Specifies the account password to use when connecting to the APN. Values Enter a password.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Authentication Method	Specifies the protocol to use when authenticating with the APN. Values None — Disables authentication. PAP — Uses the Password Authentication Protocol (PAP), which requires a username and password. CHAP — Uses the Challenge-Handshake Authentication Protocol (CHAP), which implements challenge messages to validate identities. PAP or CHAP — Uses either the PAP or CHAP method, depending on which is available.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
APN Protocol	Specifies the communications protocol to use when connecting to the APN. Values IPV4 IPV6 IPV4/IPV6 PPP	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
APN Roaming Protocol	Specifies the communications protocol to use when connecting to the APN while the device is roaming. Values IPV4 IPV6 IPV4/IPV6 PPP	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Mobile virtual network operator Type	Specifies the type of identifier used by the APN's mobile virtual network operator (MVNO). Values SPN IMSI GID ICCID	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Bearer	Enables specifying which wireless broadcast standards can be used when connecting to the APN.	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher
Bearer List	Specifies which bearer types can be used when connecting with the APN. Only available if the Bearer policy is set to Apply. Values LTE HSPAP HSPA HSUPA HSDPA UMTS EDGE GPRS eHRPD NR EVDO_B EVDO_A EVDO_0 1xRTT CDMA TD_SCDMA IDEN GSM IWLAN	Fully Managed — Android 9 and higher Samsung device — Android 9 and higher

Policy

Description

Supported system

Configuration ID

Specifies the name of the APN configuration. Each configuration name must be unique.

Values

Enter a name.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Description

Specifies the description of the APN configuration.

Values

Enter a description.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Remove available

Toggles whether the device user can delete the APN.

Values

Allow (default)
Disallow

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Access Point Name (APN)

Specifies the name of the APN, which is comprised of the network identifier and optional operator identifier.

Values

Enter a name.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Access Point Type

Specifies which connection services to allow for this APN.

Values

Default — Allows all services. Also known as unspecified.
MMS — Allows only the Multimedia Messaging Service (MMS).
Supl — Allows only the Secure User Plane Location (SUPL) service, which is an IP-based protocol that uses GPS for device geolocation.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Mobile Country Code (MCC)

Specifies the MCC of the APN.

Values

Enter a 3-digit MCC.

Click Lookup to browse and select available lookup items to include in the MCC.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Mobile Network Code (MNC)

Specifies the carrier's MNC for the APN.

Values

Enter a 2- or 3-digit MNC.

Click Lookup to browse and select available lookup items to include in the MNC.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

MMS Server (MMSC)

Specifies the address of the carrier's MMS server.

Values

Enter a URL.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

MMS Proxy Server

Specifies the address of the carrier's MMS proxy server.

Values

Enter an IP or domain.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

MMS Proxy Server Port

Specifies the port of the carrier's MMS proxy server.

Values

Enter a port.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Proxy Server

Specifies the address of the carrier's WAN proxy server.

Values

Enter a URL.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Proxy Server Port

Specifies the port of the carrier's WAN proxy server.

Values

Enter a port.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Access Point Username

Specifies the account username to use when connecting to the APN.

Values

Enter a username. By default, the field contains the ${UserName} lookup item, which substitutes for the username associated with the device in Knox Manage.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Access Point Password

Specifies the account password to use when connecting to the APN.

Values

Enter a password.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Authentication Method

Specifies the protocol to use when authenticating with the APN.

Values

None — Disables authentication.
PAP — Uses the Password Authentication Protocol (PAP), which requires a username and password.
CHAP — Uses the Challenge-Handshake Authentication Protocol (CHAP), which implements challenge messages to validate identities.
PAP or CHAP — Uses either the PAP or CHAP method, depending on which is available.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

APN Protocol

Specifies the communications protocol to use when connecting to the APN.

Values

IPV4
IPV6
IPV4/IPV6
PPP

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

APN Roaming Protocol

Specifies the communications protocol to use when connecting to the APN while the device is roaming.

Values

IPV4
IPV6
IPV4/IPV6
PPP

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Mobile virtual network operator Type

Specifies the type of identifier used by the APN's mobile virtual network operator (MVNO).

Values

SPN
IMSI
GID
ICCID

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Bearer

Enables specifying which wireless broadcast standards can be used when connecting to the APN.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Bearer List

Specifies which bearer types can be used when connecting with the APN. Only available if the Bearer policy is set to Apply.

Values

LTE
HSPAP
HSPA
HSUPA
HSDPA
UMTS
EDGE
GPRS
eHRPD
NR
EVDO_B
EVDO_A
EVDO_0
1xRTT
CDMA
TD_SCDMA
IDEN
GSM
IWLAN

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings. You can install a user certificate on a device and use the certificate through Wi-Fi or on websites.

Click add to add a configuration. You can add or edit up to 20 configurations when you save the profile.

In addition to the general considerations applicable to all policies, consider the following when configuring certificates:

If a device user deletes the initial auto-applied configuration, the deleted configuration is automatically re-applied when the device is rebooted.
If you configure multiple policies under a policy group, the device user must apply the policy settings manually.

Policy	Description	Supported system
Configuration ID	Assign a unique ID for each certificate setting.
Description	Enter a description for each certificate setting.
Install Area	Specify where the certificate should be installed.
User certificate input method	Select an input method for entering certificate information. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. NOTE — Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Certificate Category	Select a certification category when EMM Management Certificate is selected in User certificate input method, CA certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root show on the list. User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User show on the list.
Apps with Delegated Certificate Management	Add specific applications, which are installed on the device, to grant silent privileged access using a certificate while running.