Menu

Android Legacy

Create a profile and register policies for Android Legacy devices.

You can configure the policies below for Android Legacy devices. The availability of each policy varies depending on the OS version.

System

Provides backup and restore settings, developer options, and other features. Updates the operating system on a device.

Interface

Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.

Security

Configures the security settings, such as the password and lock screen.

Kiosk

Configures Kiosk applications on a Kiosk device and controls the device settings.

Application

Configures options for application controls such as installation, verification, and permission.

Location

Allows the use of GPS or collecting location data from a device.

Browser

Allows the use of the default web browser and configures the settings for it.

Phone

Configures the phone settings, such as airplane mode, the microphone, and the cellular network settings.

Firewall

Configures the IP or a domain firewall policy for each application.

Logging

Allows performing logging and configuring the settings.

DeX

Allows the use of DeX mode, an interface to use a mobile device like a desktop.

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

Exchange

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

Email Account

Configures the settings of a POP or IMAP email account.

Bookmark

Configures the bookmark settings, such as the configuration ID and installation area.

APN

Configures the APN (Access Point Name) settings.

Knox VPN

Configures a VPN (Virtual Private Network) on Samsung Galaxy devices.

VPN

Configures a VPN (Virtual Private Network) on Android devices.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

System

Policy

Description

Supported devices

Factory reset

Allows a device factory reset.

  • Disallow: Factory reset using the hardware button is prevented. However, factory reset using the firmware update utility cannot be prevented.

Samsung Knox 1.0 or higher

Power off

Allows powering off the device.

  • Disallow: The power off option menu does not appear even with the use of a power button. However, powering off by separating the battery cannot be prevented. Factory reset is prohibited if this policy is disallowed.

Samsung Knox 1.0 or higher

Backup

Allows backup of the device data.

NOTE— If the backup function can be found on your device at Google > Backup, it may seem possible to turn the backup setting on or off, even if this policy is set to Disallow. However, the functionality of backup is prohibited, regardless of mobile UI, when the Backup policy is set to Disallow.

Samsung Knox 1.0 or higher

OTA upgrade

Allows an OTA upgrade for the device.

Samsung Knox 1.0 or higher

Settings

Allows the configuration of the System Settings.

Samsung Knox 1.0 or higher

System app close

Allows force closing system applications.

Samsung Knox 1.0 or higher

App crash report to Google

Allows reporting the application error occurrence information to Google.

Samsung Knox 1.0 or higher

Multiple users

Allows multiple users.

Samsung Knox 1.0 or higher

Expand status bar

Allows the expansion of the status bar.

Samsung Knox 1.0 or higher

Change wallpaper

Allows changing the home and the lock screens.

Samsung Knox 1.0 or higher

Automatic Date and Time

Allows changing the date and time.

Samsung Knox 1.0 or higher

Camera

Allows using the camera.

NOTE— If the camera in the general area is restricted, the camera in the Knox Workspace is also restricted.

Samsung Knox 1.0 or higher, Android 4.0 or higher

>Face recognition camera

Allows use of the camera for face unlock even when the camera is disabled in the Camera policy. This policy is available when Camera is set to Disallow all.

Samsung Knox 3.2.1 or higher

Screen capture

Allows use of the screen capture function, which is already set as default.

Samsung Knox 1.0 or higher

Clipboard

Allows the clipboard feature throughout the

entire system.

  • Allow within the same app: Allows using the clipboard feature only within the same application.

Samsung Knox 1.0 or higher

Share via apps

Allows the share app function.

Samsung Knox 1.0 or higher

S Beam

Allows using Android Beam which transfers data via NFC.

 

Samsung Knox 1.0 or higher

Encryption for storage

Specifies the encryption of the device’s system storage or the external SD card.

Samsung Knox 1.0 or higher, Android 1.0 or higher

> Storage encryption

Check the checkbox to select the storage to be encrypted.

NOTE— External SD card encryption is applicable to Samsung Galaxy devices only.

 

External SD Card

Allows using the external SD card.

Samsung Knox 1.0 or higher

> Write to external SD card

Allows writing to an external SD card.

NOTE— If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.

Samsung Knox 1.0 or higher

Unauthorized SD Card

Allows using unauthorized SD cards.

Android 1.0 (SDK1 or higher)

If compromised OS is detected

Select the control function to be triggered if device OS tampering is detected.

  • Lock device: Locks the device.

NOTE— Android 10 (Q) or higher devices are not supported.

  • Lock Email: Locks email use.
  • Factory reset + Initialize SD card: Simultaneously factory resets the user device and the SD card.
  • Factory reset (only): Resets the user device but not the SD card.

NOTE— The factory reset (only) function is unsupported in Android 2.0 or lower. To reset the device, select the Factory reset + Initialized SD card option.

Samsung Knox 1.0 or higher

Smart Select

Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else.

Samsung Knox 2.2 or higher

Device Administrators to install and activate apps

Specifies to run or install EMM applications other than the Knox Manage application.

  • Allow: Allows installing or enabling EMM applications.
  • Disallow installation: Disallows installing EMM applications.
  • Disallow activation: Disallows enabling EMM applications.

NOTE— You cannot control this policy if another EMM application is active before the policy has been set.

Samsung Knox 2.0 or higher

> Exceptional app whitelist

Allows installing or activating select EMM applications by adding them to the whitelist. This policy is available only when the Device Administrator to Install and Activate apps policy is set to Disallow installation or Disallow activation.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
  • Disallow installation: Only the whitelisted applications are allowed to be installed.
  • Disallow activation: Only the whitelisted applications are allowed to be activated.

Samsung Knox 2.0 or higher

Developer mode

Allows using the developer mode.

Samsung Knox 2.0 or higher

> Background process limitation

Allows setting the default number of background processes.

If this policy is disabled, the number of background processes will be set at the maximum number.

Samsung Knox 1.0 or higher

> Quit application upon killing activities

Enables closing all running applications when the user logs out of the device.

If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.

Samsung Knox 1.0 or higher

> Mock location

Allows using the mock location, which specifies an arbitrary location for development or test purposes.

Use this policy if location information from the Update Device Information of the Send Device Command seems incorrect.

Samsung Knox 1.0 or higher

Safe mode

Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications.

Samsung Knox 1.0 or higher

Reboot banner

Allows using the reboot banner which appears on the user’s device when the device reboots.

Samsung Knox 1.0 or higher

> Reboot banners stationery

Enter the text for the reboot manager. You can enter up to 1000 bytes.

NOTE— You can customize banners for Samsung Knox 2.2 or higher devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed.

Samsung Knox 2.2 or higher

Domain blacklist Settings

Allows using the domain blacklist.

Samsung Knox 1.0 or higher

> Domain blacklist

Enter a domain blacklist that should not be used when registering an Exchange or email account.

  • To add a domain, enter the domain name in the field, and click Add.
  • To delete a domain, click next to the added domain name.

 

NTP Settings

Allows using the NTP (Network Time Protocol) server. Register this server to sync the server time to a device.

Samsung Knox 2.5 or higher

> Server address

Enter the NTP server address.

Samsung Knox 2.5 or higher

> Maximum number of attempts

Set the maximum number of attempts for connecting to the NTP server to retrieve the time information.

The value can be between 1 – 100 times.

Samsung Knox 2.5 or higher

> Polling cycle (hr)

Set the cycle to reconnect to the server via NTP.

The value can be between 1 – 8760 hours (8760 = 1 year).

Samsung Knox 2.5 or higher

> Short polling cycle (sec)

Set the cycle to re-connect to the NTP server after experiencing a timeout.

The value can be between 1 – 1000 seconds.

Samsung Knox 2.5 or higher

> Timeout (sec)

Set the connection timeout on the NTP server.

The value can be between 1 – 1000 seconds.

Samsung Knox 2.5 or higher

Set Notifications from an event to On.

Sets the device to display notifications when a device control event is applied.

User Defined: Users can set event notifications on the device from the Settings menu of Knox Manage agent.

Show notification: Displays the notification when an event for device control is applied.

Hide notifications: Hides the notification when an event for device control is applied.

Samsung Knox 1.0 or higher, Android 1.0 or higher

Set Notifications from an event to Off.

Sets the device to display the notifications when an event for device control is disengaged.

  • User Defined: Users can set event notifications on the device from the Settings menu of Knox Manage agent.
  • Show notification: Displays a notification when an event for device control is disengaged.
  • Hide notifications: Hides a notification when an event for device control is disengaged.

Samsung Knox 1.0 or higher, Android 1.0 or higher

Fix Event Notification

Set the removal of the notification from the device Quick panel.

  • User Defined: Users can remove notification on the device from the settings menu of Knox Manage agent.
  • Disallow to Remove Notification: Users cannot remove notifications on the device Quick Panel.
  • Allow to Remove Notification: Users can remove notifications on the device Quick Panel.

Samsung Knox 1.0 or higher, Android 1.0 or higher

Control Power saving mode

Allows power saving control on the device.

Samsung Knox 2.8 or higher

Firmware download mode control

Allows using the hardware key on the device to update firmware.

  • Disallow: Disallows updating firmware with the hardware key and performing a factory reset.

Samsung Knox 2.0 or higher

Samsung Keyboard settings control

Allows accessing the settings key from the Samsung keyboard.

Samsung Knox 2.0 or higher

Data Saver Mode

Allows the device to use the data saver mode automatically.

Samsung Knox 3.0 or higher

Interface

 

Policy

Description

Supported devices

Wi-Fi

Allows using Wi-Fi. If the Wi-Fi policy has not been applied successfully, the device will try to apply it again 30 minutes later after Knox Manage is activated.

  • Allow: Allows using Wi-Fi.
  • Disable On: Disallows turning on Wi-Fi. It is turned off at all times.
  • Disable Off: Disallows turning off Wi-Fi. It is turned on at all times.

Samsung Knox 1.0 or higher, Android 1.0 or higher

> Wi-Fi Direct

Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.

NOTE—

  • Set the Wi-Fi policy to Allow or Disable Off before using this policy.
  • Depending on the device type, the direct connection of the two devices may cause the function or the menu to get controlled.

Samsung Knox 1.0 or higher

Wi-Fi hotspot

Allows use of the Wi-Fi hotspot.

Samsung Knox 1.0 or higher, Android 2.3 or higher

Wi-Fi SSID whitelist setting

Allows using the Wi-Fi SSID whitelist. Devices can only connect to the Wi-Fi APs on the whitelist.

NOTE— For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.

Samsung Knox 1.0 or higher, Android 1.0 or higher

> Wi-Fi SSID whitelist

Add Wi-Fi APs to the whitelist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .

Android 1.0 (SDK1) or higher

Samsung Knox 1.0 or higher

Wi-Fi SSID Blacklist setting

Allows using the Wi-Fi SSID blacklist. Devices cannot connect to Wi-Fi APs on the blacklist.

NOTE— For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.

 

> Wi-Fi SSID Blacklist

Add Wi-Fi APs to the blacklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .

Samsung Knox 1.0 or higher, Android 1.0 or higher

Wi-Fi auto connection

Allows automatic connection to Wi-Fi SSID already stored in the device.

Samsung Knox 1.0 or higher

Wi-Fi minimum security level setting

Set a minimum security level for Wi-Fi.

The security level increases in the following ascending order: OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA’

Samsung Knox 1.0 or higher

Bluetooth

Allows using Bluetooth.

  • Allow: Allows using Bluetooth.
  • Disable On: Disallows turning on Bluetooth. It is turned off at all times.
  • Disable Off: Disallows turning off Bluetooth. It is turned on at all times.

Samsung Knox 1.0 or higher, Android 1.0 or higher

> Desktop PC connection

Allows Desktop PC connections with the user’s device via Bluetooth.

Samsung Knox 1.0 or higher

> Data transfer

Allows data exchanges with other devices via Bluetooth connection.

Samsung Knox 1.0 or higher

> Search mode

Allows device search via Bluetooth.

Samsung Knox 1.0 or higher

> Bluetooth tethering

Allows Bluetooth tethering to share the internet connection with another device.

Samsung Knox 1.0 or higher, Android 4.2 or higher

Bluetooth UUID Black/Whitelist

Select a method to connect Bluetooth devices based on their Universal Unique Identifier (UUID).

  • Blacklist configuration: Set a device to block Bluetooth connections from certain devices.
  • Whitelist configuration: Set a device to allow Bluetooth connections to certain devices.

 

> Bluetooth UUID blacklist

Select devices to block Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

NOTE— When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.

Samsung Knox 1.0 or higher

> Bluetooth UUID whitelist

Select devices to allow Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

NOTE— When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.

Samsung Knox 1.0 or higher

NFC control

Allows NFC (Near Field Communication) control.

NOTE—

  • Samsung Knox 2.4 or higher is supported for Knox Workspace devices.
  • Android 10 (Q) or higher devices are not supported.

Samsung Knox 1.0 or higher

PC connection

Allows connecting user’s device to PC.

Samsung Knox 1.0 or higher, Android 1.0 or higher

USB tethering

Allows USB tethering.

Samsung Knox 1.0 or higher, Android 1.0 or higher

USB host storage (OTG)

Allows a device connection via OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse.

NOTE— To use DeX when the USB host storage (OTG) policy is disallowed, enable DeX in the Set USB exception allowed list policy. Then configure the Allow DeX mode policy to Allow.

Samsung Knox 1.0 or higher

> Set usb exception allowed list

Specify the use for the exception allowed list once the USB host storage (OTG) policy is disallowed.

Samsung Knox 3.0 or higher

> USB exception allowed list

Select the USB interface to use if the USB host storage (OTG) policy is disallowed.

Samsung Knox 3.0 or higher

USB debugging

Allows USB debugging.

Samsung Knox 1.0 or higher

Microphone

Allows use of the microphone.

Samsung Knox 1.0 or higher, Android 1.0 or higher

> Recording

Allows the use of microphone recording.

Samsung Knox 1.0 or higher

> S Voice

Allows the use of S Voice.

Samsung Knox 1.0 or higher

GPS

Allows using GPS.

  • Allow: Allows using GPS.
  • Disable On: Disallows turning on GPS. It is turned off at all times.
  • Disable Off: Disallows turning off GPS. It is turned on at all times.

NOTE—

  • To use this policy, the GPS type on the user device must be set as one of the three types: High accuracy, Sleep, and GPS.
  • Devices running Android 10 (Q) or higher are not supported.

Samsung Knox 1.0 or higher

Wearable equipment policy inheritance

Set to use the existing Mobile policy for the Gear policy.

Samsung Knox 2.6 or higher

Security

Policy

Description

Supported devices

Device Password

Set the password for the device screen lock. Use of the camera is prohibited when the device is screen locked.

NOTE—

  • When a user has forgotten their screen lock password, an administrator needs to send the Reset screen password device command, and then the user needs to enter a temporary password. A temporary password is generated randomly according to the set Device Password policies. For more information, see the screen lock password in View the device details.
  • For Knox Workspace devices with a One Lock password, the password policy which is stronger between the Android Legacy and Knox Workspace area will be applied.

 

Secure Startup

Allow or disallow users from setting the Secure Startup feature on devices.

When Secure Startup is set and the user enters the wrong password 30 times, the device will undergo a factory reset even if you have restricted factory resets through a policy. To avoid this situation, set this policy to Disallow.

NOTE—This is applicable to devices running an OS earlier than Android P.

 
Lock screen Set to allow or disallow the user to change Lock Screen setting. Samsung Knox 3.0 or higher

> Minimum strength

Set the minimum password strength on the screen.

The password strength increases in the following ascending order: Pattern < Numeric < Must be alphanumeric < Must include special characters.

  • Pattern: Set the password using a pattern or a password with a higher degree of complexity.
  • Numeric: Set the password using numbers or a password with a higher degree of complexity.
  • Alphanumeric: Set the password using alphanumeric characters or a password with a higher degree of complexity.
  • Complex: Set it so that the passwords must include alphanumeric and special characters.

Samsung Knox 2.0 or higher, Android 2.2 or higher

>> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before access is restricted.

The value can be between 1 - 10 times.

Note You can set this only when Numeric, Alphanumeric, or Complex is selected.

Samsung Knox 2.0 or higher, Android 2.2 or higher

>>> If maximum failed login attempts exceeded

Select the action to be performed when the maximum number of failed attempts is reached.

NOTE— Samsung Knox 1.0 or higher is supported for Knox Workspace devices.

  • Lock device: Locks the device.

NOTE— Android 10 (Q) or higher devices are not supported.

  • Factory reset + Initialize SD card: Simultaneously resets the user device and the SD card.
  • Factory reset: Resets the user device but not the SD card.

Samsung Knox 2.0 or higher, Android 2.2 or higher

>> Minimum length

Set the minimum length of the password.

The value can be between 4 - 16 characters.

NOTE— Minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.

Samsung Knox 2.0 or higher, Android 2.2 or higher

>> Expiration after (days)

Set the maximum number of days before the password must be reset.

The value can be between 0 - 365 days.

NOTE— Samsung Knox 2.0 or higher is supported for Knox Workspace devices.

Samsung Knox 1.0 or higher, Android 3.0 or higher

>> Manage password history (times)

Set the minimum number of new passwords that must be used before a user can reuse the previous password.

The value can be between 0 - 10 times.

NOTE— If the password is ‘Knox123!’ and the minimum value is set as 10, the user must use ten other passwords before reusing ‘Knox123!’ as password.

Samsung Knox 1.0 or higher, Android 3.0 or higher

>> Screen Lock Timeout (min)

Set the duration for locking the device when the user has not set up a password for the screen lock.

The value can be between 0 - 60 minutes.

Samsung Knox 1.0 or higher

>> Maximum length of sequential numbers

Set the maximum number of consecutive numeric characters allowed in a password.

The value can be between 1 - 10 words.

Samsung Knox 1.0 or higher

>> Maximum length of sequential characters

Set the number of consecutive letters allowed in a password.

The value can be between 1 - 10 words.

Samsung Knox 1.0 or higher

>> Block function setting on lock screen

Allows blocking functions on the lock screen.

NOTE—

  • The visibility of the notifications on the lock screen depends on the options you set in the application.
  • Samsung Knox 2.4 - 2.9 is supported for Knox Workspace devices.

Android 5.0 or higher

>>> Block functions on lock screen

Select the function to be blocked on the lock screen when a password policy is set on a device.

  • All: Blocks all functions on the lock screen.
  • Camera: Blocks direct camera control on lock screen.
  • Trust Agent: Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, or when devices are added.
  • Fingerprint: Blocks the fingerprint unlock function.
  • Previews in pop-ups: Displays notifications on the lock screen but hides private content set in the application.
  • Notifications: All notifications are hidden via the lock screen

NOTE— This policy can be implemented only when the password level is set to pattern or higher.

 

> Maximum screen timeout

Set the maximum time limit that a user can linger before screen timeout.

Samsung Knox 2.0 or higher, Android 2.2 or higher

Connection attempt between server and device

Allows Knox Manage to retry connecting according to the value that you specified when the device is disconnected from Knox Manage. If not specified, communication will be reattempted twice every 15 minutes.

 

> Communication retry count

Set a retry count when a device is disconnected from Knox Manage and Knox Manage retries connecting to the device in 1 minute intervals.

If the device is disconnected continuously despite retrying on the specified count, Knox Manage will retry connecting according to the Communication retry interval (min) below.

The value can be between 1 - 60 times.

Android 1.0 (SDK 1) or higher

> Communication retry interval (min)

Set a retry interval for when a device is disconnected from Knox Manage. If Knox Manage receives the event that the device is available, the server will try to connect immediately despite the waiting time.

The value can be between 1 to 60 minutes.

Android 1.0 (SDK 1) or higher

Smartcard Browser Authentication

Allows Smartcard Browser Authentication within the internet browser.

When the policy is allowed, the Bluetooth security mode is applied while the device is connected to the smart card reader and will not accept other Bluetooth connections.

NOTE—

  • To use this policy, Bluetooth smart card-related applications must be installed on the device and the smartcard must be registered in the Settings menu of the device.
  • Android 10 (Q) or higher devices are not supported.

Samsung Knox 1.0 or higher

Certificate deletion

Prevents users from deleting the certificate in the Settings menu of the device.

Samsung Knox 1.0 or higher

Certificate verification during installation

Set the system to validate the certificate during installation. If the certificate fails validation, it cannot be installed.

Samsung Knox 1.0 or higher

Attestation

Communicates with the attestation server to determine whether the user’s device is forged. If no option is selected, attestation will not be processed.

Samsung Knox 1.0.1 or higher

> Action when verification fails

Set the measure for when forgery of the device firmware is detected. If detected, the creation of a new Knox Workspace and the use of the existing Knox Workspace are prohibited.

  • Lock Knox Workspace: Locks the Knox Workspace.
  • Delete Knox Workspace: Deletes the Knox Workspace.
  • Lock device: Locks the device.

NOTE— Android 10 (Q) or higher devices are not supported.

  • Factory reset + Initialization SD Card: Simultaneously factory resets the user’s device and the SD card.
  • Factory reset: Resets the user device but not the SD card.

Samsung Knox 1.0.1 or higher

Google Android security update Policy

Allows the user to select whether to receive updates on the device.

Forced use: Set to receive security updates by default.

Samsung Knox 2.6 or higher

Kiosk

Policy

Description

Supported devices

Kiosk app settings

Select a Kiosk feature to use on a device.

Single app: Runs a single application on the device’s home screen.

Multi app: Runs multiple applications that are developed using the Kiosk Wizard.

Kiosk Browser: Opens webpages that are specified by the administrator.

NOTE—

  • To use the Kiosk Browser, the Kiosk Browser application must be registered as a Knox Manage application. For more details, contact the TMS administrator.
  • Kiosks are not available with non-Samsung Android Legacy devices.

Samsung Knox 1.0 or higher

> Set application

Click Select and select a single Kiosk application from the list. Alternatively, click Add and manually add applications. For more information about adding single applications, see Creating a Single App Kiosk.

Samsung Knox 1.0 or higher

> Set application

Click Select and select multiple Kiosk applications from the list. Alternatively, click New and create a Multi App Kiosk the Kiosk Wizard. To learn how to use the Kiosk Wizard, see Exploring Kiosk Wizard.

Samsung Knox 1.0 or higher

> Set Kiosk Browser

When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser will be automatically selected.

 

> Default URL

Set the default page URL to call in the Kiosk Browser.

You can enter a URL that is up to 128 bytes including alphanumeric characters and some special characters (_,., -, *, /).

 

> Screen Saver

Use the screen saver for the Multi App Kiosk and the Kiosk Browser. When no user activity has been sensed for a certain amount of time, set it in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files will be activated on the device display.

NOTE

  • The Screen Saver only runs while the device is charging.
  • The Screen Saver for the Kiosk Browser only runs while the device is connected to a power source.

 

>> Screen Saver Type

Select either an image or video type screensaver.

 

>>> Image

Select image files for the screen saver. You can add up to 10 image files in the PNG, JPG, JPEG, or GIF format (animated files are not supported). Each image file must be less than 5 MB.

  • To upload an image file, click Add and select a file.
  • To delete an image file, click next to the name of the uploaded image file.

NOTE— The device control command must be transferred to the device to apply an image file to it.

 

>>> Video

Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB.

  • To upload a video file, click Add and select a file.
  • To delete a video file, click next to the name of the uploaded video file.

NOTE— The device control command must be transferred to the device to apply a video to it.

 

> Session timeout

Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL:

  • Apply: Enable the session timeout feature for the browser.

 

>> Time (sec)

Set the session timeout in seconds for the Kiosk Browser.

The value must be between 10 - 3600 secs (default is 1800).

 

> Text Copy

Allows the copying of text strings in the Kiosk Browser.

 

> Javascript

Allows the running of the JavaScript contained in websites.

 

> Http Proxy

Allows the use of an HTTP proxy for communications in the Kiosk Browser.

 

>> IP/Domain:Port

Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.

 

> User agent settings key value

Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header.

User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.

 

> File Upload

Allows the user to upload files to websites through the Kiosk Browser.

Disallow is the default value.

 

Delete Kiosk app when policy is removed

Allows deleting applications along with policies from the device when the applied policy is deleted.

Samsung Knox 1.0 or higher

Task manager

Allows the use of the Task Manager.

NOTE— You can use the function to disable the hardware key on SDK 2.5 or later.

Samsung Knox 1.0–2.4 or higher

System bar

Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom.

For non-Samsung devices, even if you selected either Allow status bar only or Allow navigation bar only, both the status bar and the navigation bar will be disabled.

Samsung Knox 1.0 or higher

Prohibit hardware key

Allows the use of the hardware keys

Samsung Knox 1.0 or higher

> Disallow hardware key(s)

Select hardware keys to disable.

The availability of Hardware keys can vary by device.

If you do not allow the use of the Task Manager, then it will not run, even if the user taps the left menu key in the Navigation bar at the bottom of the device.

Samsung Knox 1.0 or higher

Multi windows

Allows the use of multiple windows. This is available for devices that provide the functionality of multiple windows.

Samsung Knox 1.0 or higher

Air command

Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items appear when the user brings an S pen close to the screen.

Samsung Knox 2.2 or higher

Air view

Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content.

Samsung Knox 2.2 or higher

Edge screen

Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera.

Samsung Knox 2.5 or higher

Application

Policy

Description

Supported devices

Installation of application from untrusted sources

Allows the installation of applications from untrusted sources instead of just the Google Play Store.

NOTE— Android 8.0 or higher is supported for Knox Workspace devices.

Samsung Knox 1.0 or higher

Play Store

Allows using the Google Play Store.

Samsung Knox 1.0 or higher

YouTube

Allows using YouTube.

Samsung Knox 1.0 or higher

App Installation Back/Whitelist Setting

Set to control the application installation policies.

If no applications are added to the Application installation blacklist and the Application installation whitelist, then no other applications except for the Knox Manage agent will be allowed to be executed and installed.

 

> App installation blacklist

Add applications to prohibit their installation.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.

NOTE—

  • If a control application registered with a wildcard (*) in the package name is added to this policy, the specific package will not be installed. e.g.) com.*.emm / com.sds.* / com.*.emm.*
  • Blacklisted applications cannot be installed and will be deleted even if they were previously installed.
  • An application that has been added on the Application installation whitelist cannot be added.

Samsung Knox 1.0 or higher

> App installation whitelist

Add applications to allow their installation.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.

NOTE—

  • If a control application registered with a wildcard (*) in the package name is added to this policy, the specific package will not be installed. e.g.) com.*.emm / com.sds.* / com.*.emm.*
  • Any applications not on the whitelist are deleted, even if they are not on the blacklist.
  • An application that has been added on the Application installation blacklist cannot be added.
  • Samsung Knox 2.0 or higher is supported for Knox Workspace devices.

Samsung Knox 1.0 or higher

Application execution Black/Whitelist Setting

Set to control the application execution policies.

If the policy changes or Knox Manage is unenrolled, hidden applications reappear.

NOTE— Android 8.0 (Oreo) or below is supported for non-Samsung devices.

 

> Application execution blacklist

Add applications to prevent their execution. Icon of the blacklisted application disappears and users cannot run the application.

To add an application, click Add, and then select applications in the “Select Application” window.

To delete an application, click next to the added application.

 

Samsung Knox 1.0 or higher, Android 2.2 or higher

> Application execution whitelist

Add applications to allow their execution. Icons of applications that are not on the whitelist disappear automatically. Knox Manage and the preloaded applications are automatically registered on the whitelist.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

NOTE— An application that has been added on the Application installation whitelist cannot be added.

Samsung Knox 1.0 or higher, Android 2.2 or higher

 

Application force stop prohibition list setting

Set to prohibit applications from force stop.

 

> Force stop blacklist

Add applications to prohibit from force stop.

Samsung Knox 1.0 or higher

Application execution prevention list setting

Allows application installation but prevents application execution.

 

> Application execution prevention list

Add applications to be displayed but not executable.

Listed applications can be installed and the icons will be displayed, but they will not be executed.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

NOTE— An application that has been added on the Application installation blacklist cannot be added.

Samsung Knox 2.0 or higher

Application uninstallation prevention list Settings

Set to control the application uninstallation policies.

 

> Application uninstallation prevention list

Add applications to prevent their uninstallation.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

Samsung Knox 1.0 or higher

Action when apps are compromised

Select from among the actions below to take if an internal or a kiosk application is compromised:

  • Disallow running: Prohibits the application’s execution.
  • Uninstall: Deletes an application.
  • Lock device: Locks the user’s device.

NOTE— Android 10 (Q) or higher devices are not supported.

  • Notify Alert: The compromised status of the device is reported on the Dashboard.
  • Factory reset + Initialize SD card: Simultaneously resets a user device and the SD card.
  • Factory reset: Resets the user device but not the SD card.

NOTE— Actions such as lock device, factory reset, and the notify alert will be applied but only for general Android devices and not for Samsung Galaxy and LG Electronic devices.

Samsung Knox 1.0 or higher

Show ProgressBar when installing apps

Set to display the ProgressBar, which displays the progress of the application downloads made in Knox Manage.

Samsung Knox 1.0 or higher, Android 1.0 or higher

Battery optimization exceptions

Set to exempt applications from the battery optimization function. This policy may cause battery loss.

NOTE— This policy is for devices running Android (Nougat) or later.

 

> Apps excluded battery optimization

Add applications to exempt them from the battery optimization function.

Samsung Knox 2.7 or higher

Location

Policy

Description

Supported devices

Report device location

Allows collecting location data.

User consent: Allows location data collection only with the user’s consent.

NOTE—

  • When this policy is set to User consent, location data can only be collected after the user allows collection of device location data in the permission pop-up. The Report device location policy has a higher priority than the GPS policy or the locate the current position device command.
  • For devices running Android 10 (Q) or higher, this policy is supported only when the GPS is enabled in the device settings.

Samsung Knox 1.0 or higher, Android 2.3 or higher

> Report device location interval

Set an interval period to save the location data of the device.

NOTE— To set the collection interval, select either Allow or User Consent for the Report device location policy.

Samsung Knox 1.0 or higher, Android 2.3 or higher

High Accuracy Mode

Set to use for collecting accurate GPS locations of the devices.

Samsung Knox 1.0 or higher, Android 2.3 or higher

Browser

Browsers must be closed and opened again to apply the changes.

Policy

Description

Supported devices

Android browser

Allows using the Android browser.

NOTE— The disallowed setting or blacklist setting takes priority over others. If the disallowed setting is configured in any of the Android browser or the application blacklist policies, the Samsung Internet browser cannot be launched

Samsung Knox 1.0 or higher

> Cookies

Allows cookies in the Android browser.

NOTE— If cookies are not allowed, you cannot access websites that authenticate users with cookies.

Samsung Knox 1.0 or higher

> JavaScript

Allows JavaScript in the Android browser.

Samsung Knox 1.0 or higher

> Autofill

Allows auto-completion of information that you enter on websites in the Android browser.

Samsung Knox 1.0 or higher

> Pop-up block

Allows blocking pop-ups in the Android browser.

Samsung Knox 1.0 or higher

Browser proxy URL

Set the proxy server address for the Android browser in the general area.

Enter the value in the form of IP:port or domain:port in the fields.

NOTE—

  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 4.0.1 - 5.6.

Samsung Knox 1.0.1 or higher

Phone

Policy

Description

Supported devices

Airplane mode

Allows the use of airplane mode.

Samsung Knox 2.0 or higher

Cellular data connection

Allows the use of a cellular data connection.

NOTE— This policy is applied after internal applications that have been set as Automatic (Non-removable) are installed. If the cellular data connection policy is not applied successfully, the device tries again to apply this policy 30 minutes later after Knox Manage is activated.

Samsung Knox 1.0 or higher

Prohibit voice call

Prohibits incoming and outgoing voice calls.

Samsung Knox 1.0 or higher

> Voice call

Specifies the types of voice call to block:

  • Incoming: Blocks incoming voice calls only.
  • Outgoing: Blocks outgoing voice calls only

If both are selected, only emergency calls can be received or made.

 

> Incoming Call blacklist

Add phone numbers to the blacklist to block incoming voice calls.

  • To add a phone number, enter it in the field and click .
  • To delete a phone number, click next to it.

 

> Outgoing Call blacklist

Add phone numbers to the blacklist to block outgoing voice calls.

  • To add a phone number, enter it in the field and click .
  • To delete a phone number, click next to it.

 

Data usage limit

Allows the limiting of data usage.

Samsung Knox 1.0 or higher

Data usage restrictions

Limits the maximum data usage for user devices. If data usage exceeds the limit set on a device, data use is no longer available.

To get precise information on the amount of usage, changing the date and time must not be allowed.

Samsung Knox 1.0 or higher

> Maximum usage

Set the maximum data amount for user devices for 1 day, 1 week, or 1 month.

NOTE—

  • Daily usage is calculated at 12:00 p.m. each day, weekly usage on Sundays, and monthly usage on the first day of each month.
  • When the maximum data amount is reached, the data network will be blocked. But if the user allows the data network, the data usage of the user device will be reset.

 

Data connection during roaming

Allows data connection when roaming.

Samsung Knox 1.0 or higher

WAP push during roaming

Allows WAP push communication while using roaming.

Samsung Knox 1.0 or higher

Data sync during roaming

Allows data synchronization while roaming.

Samsung Knox 1.0 or higher

Voice calls during roaming

Allows voice calls while roaming.

Samsung Knox 1.0 or higher

Disallow SMS/MMS

Prohibits sending and receiving SMS/MMS messages.

Samsung Knox 1.0 or higher

> Disallow Incoming/Outgoing SMS/MMS

Specifies the types of SMS/MMS messages to block.

NOTE— At least one of the types should be selected.

 

> Incoming SMS blacklist

Add phone numbers to the blacklist to block incoming SMS/MMS messages.

  • To add a phone number, enter it in the field and click .
  • To delete a phone number, click next to it.

 

> Outgoing SMS blacklist

Add phone numbers to the blacklist to block outgoing SMS/MMS messages.

  • To add a phone number, enter it in the field and click .
  • To delete a phone number, click next to it.

 

 

Use SIM card locking

Prevents the use of the SIM card on a user device. To use this policy, the default PIN of the SIM card should be entered. Then, the new PIN number for the SIM card should be entered.

If the locked SIM card is registered to another device, the device is locked and the user must enter a valid PIN to unlock it.

Samsung Knox 1.0 or higher

> Default SIM PIN

Enter the default PIN found on the SIM card.

The value is a 4 - 8 digit number.

NOTE— This policy is designed for use by Corporate-Owned, Personally Enabled (COPE) devices and is only applied if the PIN found on SIM card matches the default PIN.

 

> New SIM PIN

Enter the new PIN number for the SIM card. The new PIN number can be found next to SIM PIN Number in the “Network“ tab of the “Device Detail” page.

The value is 4 - 8 digit numbers.

 

Set app voice recording whitelist

Allows recording phone conversations.

NOTE— If unspecified, voice recording is not allowed.

Samsung Knox 3.0 or higher

> App voice recording whitelist

Add applications that are allowed to record phone conversations to the whitelist.

NOTE—

  • The registered voice recording applications cannot be deleted after being activated. To remove the registered applications, you must factory reset the device.
  • If the registered voice recording applications are activated on a device, the device USB connection is blocked.

Samsung Knox 3.0 or higher

Firewall

The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same address, a separate configuration is required.

Policy

Description

Supported devices

Firewall

Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.

NOTE— Samsung Knox 1.0 - 2.4.1 is supported for Knox Workspace devices.

Samsung Knox 1.0 - 2.4.1

> Permitted Policy (IP)

Input values to permit the target IP and port address. Configure the following:

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

3. Select the Network Type:

  • All
  • Data: Only mobile network access is enabled.
  • Wi-Fi: Only Wi-Fi network access is enabled.

4. Select Port Range:

  • All
  • Local: Port access from the device is enabled.
  • Remote: Port access from the target server is enabled.

5. Click to add.

NOTE—

  • Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited policy (IP) ranges.
  • Samsung Knox 2.5 is supported for Knox Workspace devices.

 

> Prohibited Policy (IP)

Input values to permit the target IP and port address. Configure the following:

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

3. Select the Network Type:

  • All
  • Data: Only mobile network access is enabled.
  • Wi-Fi: Only Wi-Fi network access is enabled.

4. Select Port Range:

  • All
  • Local: Port access from the device is enabled.
  • Remote: Port access from the target server is enabled.

5. Click to add.

NOTE—

  • Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited policy (IP) ranges.
  • Samsung Knox 2.5 is supported for Knox Workspace devices.

 

Samsung Knox 2.5 or higher

> Permitted Policy (Domain)

Input values to permit the target domain address.

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

Note:

  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name. e.g.) *android.com / www.samsung*
  • Samsung Knox 2.6 is supported for Knox Workspace devices.

Samsung Knox 2.6 or higher

> Prohibited policy (Domain)

Input values to disable the target domain address.

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

Note:

  • Use a wildcard character (*) to disable a specific domain.
  • Samsung Knox 2.6 is supported for Knox Workspace devices.

Samsung Knox 2.6 or higher

> DNS setting

Input values to specify the domain server address of all applications or registered applications.

1. Enter or click Add to search the Package Name of the application.

2. Input DNS values.

  • DNS1: Primary DNS.
  • DNS2: Secondary DNS.

NOTE— Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.

 

Samsung Knox 2.7 or higher

NOTE—
  • If there are multiple firewalls, restricted firewalls have a higher priority.
  • If a firewall is configured to all applications as well as in specific applications, the policy for each application has a higher priority.

Logging

Policy

Description

Supported devices

Save logs

Set to enable the save logs feature.

Enable: Set to perform logging. This is the default value.

Disable: Cannot record device logs.

NOTE— If this policy is not specified, the Knox Manage performs logging with the DEBUG level.

Samsung Knox 1.0 or higher, Android 1.0 or higher

> Log level

Select a log level.

  • DEBUG: Logs detailed device information for the developers.
  • INFO: Logs device information for the administrators.
  • WARNING: Logs information that are not errors, but the ones that require special attention for the administrators.
  • ERROR: Logs error information.
  • FATAL: Logs critical error information, such as system interruption.

Samsung Knox 1.0 or higher, Android 1.0 or higher

> Maximum log size (MB)

Enter value for the maximum log size.

The value can be between 1 - 20 MB.

Samsung Knox 1.0 or higher, Android 1.0 or higher

> Maximum days for storage (day)

Enter value for the maximum days for log storage.

The value can be between 1 – 30 MB.

Samsung Knox 1.0 or higher, Android 1.0 or higher

DeX

Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a monitor, keyboard, and mouse to a Dex docking station, the mobile device can function as a desktop computer

In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blacklist setting.

Policy

Description

Supported devices

Allow DeX mode

Allows the use of DeX mode.

  • Disallow: The DeX station will not function even if a mobile device is mounted on it.

Samsung Knox 3.0 or higher

Allow Ethernet only

Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked.

Samsung Knox 3.0 or higher

Application execution blacklist(Android)

Use the blacklist for running DeX applications.

Samsung Knox 3.0 or higher

> Application execution blacklist

Prohibits launching the specified applications.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

NOTE—

  • Any applications that already have been added to the Application whitelist cannot be added to the Application blacklist.
  • When this policy is enabled and applied, the icons of the blocked applications will disappear so that users cannot launch them. However, the applications are not deleted. The icons will reappear once the policy is changed or Knox Manage is disabled.

 

 

Wi-Fi

You can add more Wi-Fi policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each Wi-Fi setting.

Description

Enter a description for each Wi-Fi setting.

Network Name (SSID)

Enter an identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Remove available

Allows users to delete the Wi-Fi settings.

Security type

Specifies the access protocol used and whether certificates are required.

> WEP

Set a WEP KEY index from WEP KEY 1 to 4.

> WPA/WPA2-PSK

Enter a password.

> 802.1xEAP

Configure the following items:

  • EAP Method: Select an authentication protocol from among PEAP, TLS, and TTLS.
  • 2-step authentication: Select one from PAP, MSCHAP, MSCHAPV2, or GTC as a secondary authentication method. This is available when EAP Method is set to TTLS or TLS.
  • User information input method: Select an input method for entering user information.

Manual Input: Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Connector interworking: Choose a connector from the User Information Connector.

User Information: Use the user information registered in Knox Manage to access Wi-Fi.

  • User certificate input method: Select a user certificate confirmation method.

EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.

Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.

  • CA certificate: Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root will appear on the list.

Proxy configuration

Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.

> Manual

Configure the proxy server manually.

  • Proxy host name: Enter the host name of the IP address of the proxy server
  • Proxy port: Enter the port number used by the proxy server
  • Proxy exception: Enter the IP address or domain address that cannot be accessed through the proxy server.
  • If server authentication is required to use the proxy server, check the Server authentication check box.
  • User name: Enter the username for the proxy server.
  • Password: Enter the password for the proxy server.

> Proxy automatic configuration

Configure the proxy server automatically.

You should enter a PAC web address in the PAC web address field, the URL of the PAC file that automatically determines which proxy server to use.

Exchange

You can add more Exchange policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each exchange setting.

Description

Enter a description for each exchange setting.

Remove available

Allows users to delete the exchange settings.

Office 365

Allows to configure the Exchange settings by automatically filling out the

Exchange server address and the SSL option as ‘Use’.

User information input method

Select an input method for entering user information.

> Manual Input

Select to manually enter the email address, account ID, and password of a user.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

> Connector interworking

Select to choose a connector from the User Information Connector list.

NOTE— All the connectors are listed in Advanced > System Integration > Directory Connector.

> User Information

Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user’s device.

Domain

Enter a domain address for the exchange server.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Exchange server address

Enter the exchange server information such as IP address, host name or URL.

NOTE— If Office365 is selected, outlook.office365.com will be automatically entered.

Sync measure for the early data

Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the email application settings.

User certificate input method

Select an input method for entering certificate information.

> EMM Management Certificate

Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • User Certificate: Select a certificate to use from the User Certificate list.

> Connector interworking

Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services.

When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • User certificate Connector: Select a connector to use from the User certificate Connector list.

> Issuing external CA

Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.

  • Issuing external CA: Select an external CA to use from the Issuing external CA list.

Sync calendar

Syncs schedules on a calendar from an Exchange server or a mail server to a device.

Sync contacts

Syncs contact information in a phone book from a server to a device.

Sync task

Syncs tasks items from a server to a device.

Sync notes

Syncs notes from a server to a device.

SSL

Set to use SSL for email encryption.

NOTE— If Office365 is selected, the SSL option is automatically set to ‘Use’.

Signature

Enter the email signature to use.

Notification

Notifies the user of new emails.

Always vibrate on notification

Notifies the user of new emails with a vibration.

Silent notification

Mutes email notifications.

NOTE— Always vibrate on notification and Silent notification cannot be used at the same time.

Attachment capacity (byte)

Enter the email attachment file size limit in bytes.

The input value ranges from 1 to 52428800 (50MB).

Maximum Size of Email Body (Kbyte)

Select a maximum value for the email body size. This is only set once during the initial Exchange ActiveSync setup.

> Default Size of Email Body (Kbyte)

Select the default value for the email body size. This is only set once during the initial Exchange ActiveSync setup.

Email Account

You can add more email account policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each email account setting.

Description

Enter a description for each email account setting.

Remove available

Allows users to delete the email account settings.

Default Account

Specifies to use the default account.

User information Input Method

Select an input method for entering user information.

> Manual Input

Select to manually enter the email address, server ID and password of a user.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

> Connector interworking

Select a connector from the user information connector list.

NOTE— The connectors are listed in Advanced > System Integration > Directory Connector.

> User information

Select to access the relevant mail server using the registered Knox Manage email, ID and password.

NOTE— The password must be entered from the user’s device.

Incoming Server Protocol

Select between the POP3 (pop3) and IMAP (imap) protocol.

Outgoing Server Protocol

Entered automatically as SMTP.

Incoming Server Address/port

Enter the Incoming Server address/port in a provided format.

Outgoing Server Address/port

Enter the outgoing server address/port and port in a provided format.

Incoming Server ID

Enter an incoming server ID to log in to the incoming mail server manually.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

NOTE— This protocol is only available when Manual Input is selected.

Outgoing Server ID

Enter an outgoing server ID to manually log in to the outgoing mail server.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

NOTE— This protocol is only available when Manual Input is selected.

Incoming Server Password

Enter an incoming server password to manually log in to the incoming mail server.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

NOTE— This protocol is only available when Manual Input is selected.

Outgoing Server Password

Enter an outgoing server password to manually log in to the outgoing mail server

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

NOTE— This protocol is only available when Manual Input is selected.

Incoming SSL

Select to use SSL for encryption.

Outgoing SSL

Select to use SSL for encryption.

Notification

Select an email notification method.

  • Enable Notification: Activates email notification.
  • Enable ‘Always notify by vibrate mode’: Notifies the user of new emails with a vibration.
  • Disable Notification: Deactivates email notification.

All incoming certificates

Allows receiving certificates.

All outgoing certificates

Allows sending certificates.

Signature

Enter an email signature to use.

Account Name

Assign an account name.

Sender Name

Assign a sender name.

Bookmark

You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on Samsung Galaxy devices. You can add more bookmark policy sets by clicking .

NOTE—

  • Browsers must be closed and opened again to apply the changes.
  • Even if a user modifies a registered bookmark or registers a bookmark with the same URL and name, it will not be deleted when the bookmark setting is deleted.
  • Even if a user manually deletes the set bookmark, due to the limitations of Samsung devices, the application may still appear to be installed. In this case, you have to delete the bookmark in the profile, and then recreate the bookmark.
  • The auto-installation of Bookmark settings is supported on devices running Android 6.0 Marshmallow or Android 7.0 Nougat, and only when BookMark is chosen in the Installation area.

Policy

Description

Configuration ID

Assign a unique ID for each bookmark setting.

Description

Enter a description for each bookmark setting.

Installation area

Specifies a location to install the bookmark.

  • BookMark: Saves a bookmark in the S browser.
  • ShortCut: Creates a shortcut for the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher.

If a Shortcut has been selected, auto installation is not supported.

Shortcut icons may not be able to be created depending on the type of launcher set by the user. An administrator cannot delete the shortcut icon, but the user can delete it manually.

Bookmark page URL

Enter a website address to go to when a bookmark is selected.

Bookmark name

Enter the bookmark name to be displayed as a title in the bookmark.

APN

You can add more APN policy sets by clicking .

Policy

Description

Configuration ID

Enter an APN name to be displayed on the device.

Description

Enter a description for an APN.

Remove available

Allows users to delete APN settings. If you choose Disallow, then the button used to delete APN settings is disabled.

Access Point Name (APN)

Enter the name of the access point.

Access Point Type

Select the type of the access point.

  • Default: default type.
  • MMS: Multimedia Messaging Service.
  • Supl: IP-based protocol to receive GPS satellite signals.

Mobile Country Code (MCC)

Enter the country code for the APN.

Mobile Network Code (MNC)

Enter the carrier network code for the APN.

MMS Server (MMSC)

Enter the server information for sending multimedia messages.

  • MMS Proxy Server: Enter the information of the proxy server for sending multimedia messages.
  • MMS Proxy Server Port: Enter the port number of the proxy server for sending multimedia messages.

Server

Enter the WAP gateway server name.

Proxy Server

Enter the information of the proxy server.

Proxy Server Port

Enter the port number of the proxy server.

Access Point User Name

Enter the user name of the access point.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Access Point Password

Enter the password of the access point.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Authentication Method

Select an authentication method.

  • None: Disables authentication.
  • PAP: Requires a user name and password for authentication.
  • CHAP: Uses encryption with a Challenge string for authentication.
  • PAP or CHAP: Uses the PAP or CHAP authentication method.

Set as Preferred APN

Applies APN settings to the device.

Knox VPN

Knox VPN settings are provided to help you set up a VPN on a Samsung Galaxy device more easily. You can add more Knox VPN policy sets by clicking .

NOTE— When Knox Workspace is used on an Android Legacy device, only one Knox VPN can be set on a device regardless of the Knox Workspace area or general area. If the Knox VPN vendor is Cisco, then it can be installed in both areas. To use a Knox VPN on both areas, you need to install the vendor’s VPN Client application in each area.

Policy

Description

Configuration ID

Assign a unique ID for the Knox VPN setting.

VPN name

Enter a VPN name to display on the user device.

Description

Enter a description for the Knox VPN setting.

Remove available

Allows users to delete the Knox VPN settings.

VPN vendor name

Select a VPN vendor from between Cisco and User defined. Input fields vary depending on the selected VPN vendor name.

NOTE— Select User defined to set up a different vendor’s VPN service, such as the Sectra mobile VPN.

VPN client vendor package name

Entered automatically according to the selected VPN vendor name. If User defined is selected, you must manually enter this protocol.

VPN type

Select a protocol.

Entering methods for Knox VPN

Select an entering method for Knox VPN information.

NOTE— Input fields vary depending on the selected VPN vendor and the entering method.

Upload Knox VPN profile

Allows uploading a Knox VPN profile when you set Entering methods for Knox VPN to Upload profile.

You can upload a text file in the JSON format. JSON varies depending on the VPN vendor and VPN type.

For more information about sample files, see the sample file of a Sectra Mobile VPN configuration in Entering a VPN vendor manually and see the sample file of Cisco VPN configuration in Sample file for uploading a Knox VPN profile.

User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
  • NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services.
  • When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.

CA Certificate

Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Knox VPN and the Type set as Root will appear on the list.

Server certificate

Select a certificate to use from the certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as Knox VPN and the Type set as User will appear on the list.

FIPS mode

Allows the use of FIPS mode.

FIPS (US Federal Information Processing Standards) encrypts all data with FIPS-140-2 authentication modules between the server and client.

Auto Re-connection

Allows connecting automatically when an error occurs.

VPN route type by application

Select to use a VPN for selected applications or for all applications in the General area.

  • By Application: Click Add next to The VPN applied package name per app and select applications, and then click Save.
  • All packages of general area: All applications in the General area are subject to a VPN.

Entering a VPN vendor manually

To use a VPN provided by a vendor other than Cisco, select User defined in the VPN vendor name field. Then upload a text profile in the JSON format. The VPN Client must be installed on the device before using a VPN.

For example when a Sectra VPN is used, set the options as below:

1. Enter com.sectra.mobilevpn in the VPN client vendor package name field.

2. Set VPN type to SSL.

3. Click Add next to Upload Knox VPN profile and upload a configuration file with the Sectra Mobile VPN configuration parameters set.

  • Upload a file in the JSON format to fully integrate the Sectra Mobile VPN in the Knox Manage portal.
  • Set the parameters as shown in the example below.

Parameter

Description

Example

profileName

The name of the VPN configuration profile that will be listed on the Knox Manage application and the VPN client GUI.

Sectra Mobile VPN

servers

A list of 1 – 6 VPN servers with IP addresses and a network port. This list will be in an order of priority, with the default VPN server being the first on the list. The remaining VPN servers will be used only if the default server is damaged.

[

{“address”:”1.1.1.1”,“port”:443}

{“address”:”2.2.2.2”, “port”:444}

{“address”:”3.3.3.3”, “port”:445}

]

pkcx12BaseUrl

A download server’s HTTP/S URL, where the encrypted key materials are downloaded to.

http://download.server.com/certs/

mtuSize

The MTU (Magnetic Tape Unit) is a size used on Knox Manage’s virtual network interface. It is the maximum size for the outgoing UDP (User Datagram Protocol) tunnel packets before being fragmented

The value must be between 576 – 1500 bytes.

1300

UseDtle

Determines whether a DTLS tunnel is used. A DTLS tunnel should be used if sensitive data is being transmitted in real-time.

E.g.) When streaming video and/or using VoIP calls.

The value must be either True or False. If unsure, set to True.

True

diffServe

Tunnel packets’ QoS (Quality of Serve) tag sent from a client. Differentiated service is part of an IP header.

The value must be between 0 – 63. 0 means disabled.

0

tcpKeepAlive

Timer value for the interval of a KeepAlive packet sent from a TCP tunnel.

The value must be between 1 – 18000.

  • Sectra recommends to set this value as 1200 seconds since is compatible with most mobile networks.

NOTE— This is an important parameter that needs to be selected with caution.

1200

dtlsInactivityTimeout

The timer value for the standby period of a DTLS tunnel that determines how long it idles without receiving any data before it goes inactive.

The value must be between 1 – 300 seconds.

NOTE— Sectra does not recommend setting this value to 300 seconds.

30

trarricProfiles

1 – 3 traffic profiles the users can choose, for when a normal configuration is not sufficient. Traffic profiles can change the following configuration parameters: mtuSize, useDtls, diffServ, tcpKeepAlive and/or dtlsInactivityTimeout. The traffic profile also requires the name of the profile which is shown in the client GUI.

[ {“profileName”:”BadNetworkProfile”,”mtuSize”:800, “tcpKeepAlive”:600},

{“profileName”:”RealTimeProfile”,”mtuSize”:1500, “useDtls”:”true”, “diffServ”:63}

]

Sample file for uploading a Knox VPN profile

The following is a sample file of a Sectra Mobile VPN configuration:

{

“KNOX_VPN_PARAMETERS”:{

“profile_attribute”:{

“profileName”:”Sectra Mobile VPN”,

“vpn_type”:”ssl”,

“vpn_route_type”:1

},

“knox”:{

“connectionType”:”keepon”

},

“vendor”:{

“connection”:{

“servers”: [

{“address”:”1.1.1.1”, “port”:443},

{“address”:”2.2.2.2”, “port”:444},

{“address”:”3.3.3.3”, “port”:555}

],

“ssl”: {

“basic”: {

“pkcs12BaseUrl”:”http://download.server.com/certs/”,

“mtuSize”:1300,

“useDtls”:true,

“diffServ”:0,

“tcpKeepalive”:1200,

“dtlsInactivityTimeout”:30

}

}

},

“trafficProfiles”: [

{

“profileName”: “BadNetworkProfile”,

“mtuSize”:800,

“tcpKeepAlive”:600

},

{

“profileName”:”RealTimeProfile”,

“mtuSize”:1500,

“useDtls”:”true”,

“diffServ”:63

}

]

}

}

}

Configuring a Knox VPN profile manually

You can manually enter a profile only when the VPN vendor is Cisco. Select Manual Input in the Entering method for Knox VPN field. Then set the options as below:

  1. Enter the IP address, host name, or URL of the VPN server in the Server address.
    • The VPN route type, which enables the use of VPN tunneling, is automatically entered.
  2. Select to use user authentication.
  3. Select a VPN connection type.
    • Keep On: Keep the VPN connection.
    • On Demand: Connect to the VPN upon request.
  4. Select the chaining type.
  5. Select to use the UID PID.

Sample file for uploading a Knox VPN profile

The following is a sample file with Cisco as the VPN vendor and IPSec as the VPN type:

{

“KNOX_VPN_PARAMETERS”:{

“profile_attribute”:{

“profileName”:”c1”,

“host”:”12.3.456.78”,

“isUserAuthEnabled”:true,

“vpn_type”:”ipsec”,

“vpn_route_type”:1

},

“ipsec”:{

“basic”:{

“username”:””,

“password”:””,

“authentication_type”:1,

“psk”:””,

“ikeVersion”:1,

“dhGroup”:0,

“p1Mode”:2,

“identity_type”:0,

“identity”:”test@sta.com”,

“splitTunnelType”:0,

“forwardRoutes”:[

{

“route”:””

}

]

},

“advanced”:{

“mobikeEnabled”:false,

“pfs”:true,

“ike_lifetime”:”10”,

“ipsec_lifetime”:”25”,

“deadPeerDetect”:true

},

“algorithms”:{

}

},

“knox”:{

“connectionType”:”keepon”,

“chaining_enabled”:”-1”,

“uidpid_search_enabled”:”0”

},

“vendor”:{

“setCertCommonName”:”space”,

“SetCertHash”:”pluto”,

“certAuthMode”:”Automatic”

}

}

The following is a sample file with Cisco, as the VPN vendor, and SSL, as the VPN type:

{

“KNOX_VPN_PARAMETERS”:{

“profile_attribute”:{

“profileName”:”c3”,

“host”:”cisco-asa.gnawks.com”,

“isUserAuthEnabled”:true,

“vpn_type”:”ssl”,

“vpn_route_type”:1

},

“ssl”:{

“basic”:{

“username”:”demo”,

“password”:”samsung”,

“authentication_type”:1,

“splitTunnelType”:0,

“forwardRoutes”:[

{

“route”:””

}

]

},

“algorithms”:{

“ssl_algorithm”:0

}

},

“knox”:{

“connectionType”:”keepon”,

“chaining_enabled”:”-1”,

“uidpid_search_enabled”:”0”

},

“vendor”:{

“setCertCommonName”:”space”,

“SetCertHash”:”pluto”,

“certAuthMode”:”Automatic”

}

}

}

VPN

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for the VPN setting.

VPN Name

Enter a VPN name to display on the user device.

Description

Enter a description for the VPN setting.

Remove available

Allows users to delete the VPN settings.

Connection type

Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type.

  • PPTP: Set if PPP should be encrypted (MPPE).
  • L2TP/IPSec PSK: Enter parameters in the L2TP Secret Key, IPSec Identifier, and IPSec Pre-shared Key fields.
  • L2TP/IPSec RSA, IPSec Xauth RSA, IPSec Hybrid RSA: Select a root certificate from IPSec CA Certificates. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as VPN and the Type set as Root will appear on the list.
  • IPSec Xauth PSK: Enter parameters in the IPSec Identifier and IPSec Pre-shared Key fields.

Server address

Enter the IP address, host name, or URL of the VPN server that the device needs to access.

User information input method

Select an input method for entering user information.

  • Manual Input: Enter the user ID and Password for the VPN connection. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Connector interworking: Choose a connector from the User information Connector. All the connectors are listed in Advanced > System Integration > Directory Connector.
  • User Information: Use the user information registered in Knox Manage to access the VPN.

PPP Encryption (MPPE)

Allows to encrypt data for the VPN connection.

DNS search domain

Enter the DNS name.

DNS server

Enter the DNS server address.

Forwarding route

This is automatically entered when Subnet Bits is selected.

Subnet Bits

The value can be set as none or select from /1 to /30.

Certificate

You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. You can add more certificate policy sets by clicking .

Policy

Description

Configuration

Assign a unique ID for each certificate setting.

Description

Enter a description for each certificate setting.

User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
    NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add external certificates.
    When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.

Certification category

Select a certification category when EMM Management Certificate is selected in User certificate input method,

  • CA certificate: Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list.
  • User certificate: Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User will appear on the list.