Menu

iOS

Create a profile and register policies for iOS devices.

You can configure the policies below for iOS devices. The availability of each policy varies depending on the OS version.

System

Allows features such as camera, screen capture, and Siri.

Security

Configures the password settings.

Application

Allows using Gamer Center, iMessage, and YouTube, and also enables configuring options for application controls, such as installation and blacklist/whitelist.

Phone

Configures the phone settings such as video calling and voice dialing.

Share

Allows the use of AirDrop and the transferring of data between managed applications and unmanaged applications.

Browser

Allows using the Safari browser and configuring its settings.

iCloud

Configures the iCloud settings, such as backup, iCloud photo library, and photo sharing.

Media

Enables selecting a country to choose the level of media content, such as movies, TV shows, and applications

Wi-Fi

Configures Wi-Fi settings, such as SSID, security type, and proxy.

Exchange

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

VPN

Configures VPNs (Virtual Private Network) on iOS devices.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

SSO

Configures the SSO (Single Sign On) settings for one-click access to all applications.

Cellular

Configures the cellular network settings, such as AttachAPN and APNs.

AirPrint

Configures the AirPrint settings to enable computers to automatically detect an AirPrint printer.

Font

Allows the delivering of new fonts to devices.

WebClip

Configures the display of web shortcuts on an iOS device.

App Lock

Configures the functions of an application that is locked down on a supervised device

Global HTTP Proxy

Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.

AirPlay

Configures the AirPlay settings to allow iOS devices to share content.

Web Content Filter

Configures the settings for the Web content filter to control accessing specific URLs on a web browser.

Managed domains

Specifies URLs or subdomains to allow downloading content from these domains without any restrictions.

Network Usage Rules

Configures network usage rules to control which applications can access data or when the device is roaming.

System

Policy

Description

Supported devices

Camera

Allows using the camera.

iOS 4.0 or higher

Screen capture

Allows use of the screen capture function, which is already set as default.

iOS 4.0 or higher

Siri

Allows using Siri.

iOS 5.0 (iPhone 4S)

iOS 6.0 (iPad 3)

> Siri on lock screen

Allows using Siri on the lock screen.

iOS 5.1 (iPhone 4S)

iOS 6.0 (iPad 3)

> Web search result on Siri

Allows displaying the web search results on Siri.

iOS 7.0 or higher

Supervised

> Profanity filter on Siri

Select to use the Profanity filter on Siri.

  • Forced use: Users are forced to use the Profanity filter on Siri.
  • User selection: Users are allowed to select whether to use the Profanity filter on Siri.

iOS 5.0 (iPhone 4S)

iOS 6.0 (iPad 3) or higher

Supervised

Submission of diagnosis and usage details

Allows submitting diagnostic results and usage information to the manufacturer.

NOTE— Personally identifiable or sensitive information will be data masked.

iOS 6.0 or higher

Passbook on lock screen

Allows using the Passbook on the lock screen.

iOS 6.0 or higher

Control center on lock screen

Allows using the Control center on the lock screen.

iOS 7.0 or higher

Display notifications on lock screen

Allows displaying the notifications on the lock screen.

iOS 7.0 or higher

Display Today view on lock screen

Allows displaying the Today view on the lock screen.

iOS 7.0 or higher

Manual installation for profile

Allows manual installation of the Apple Configuration Profile.

iOS 6.0 or higher

Supervised

Control editing account information

Allows editing the account information.

iOS 7.0 or higher

Supervised

Automatic updates of certificate trust settings

Allows automatic updates of the certificate trust settings.

iOS 7.0 or higher

Encryption for iTunes backup

Select to encrypt the iTunes backup.

  • Forced use: Users are forced to encrypt.
  • User selection: Users are allowed to select whether to encrypt.

iOS 7.1 or higher

iTunes pairing

Allows iTunes connection with unauthorized PCs.

iOS 7.0 or higher

Supervised

Limited Ad tracking

Select to use the Limit Ad tracking.

  • Forced use: Users are forced to use Limit Ad tracking.
  • User selection: Users are allowed to select whether to use Limit Ad tracking.

iOS 7.0 or higher

Factory reset

Allows a device to factory reset.

iOS 8.0 or higher

Supervised

Result of web search with Spotlight

Allows displaying the web search results from Spotlight search.

 

iOS 8.0 or higher

Supervised

Block configuration

Allows users to configure any restrictions on the menus by activating the block menu function. If the policy is prohibited, the users cannot configure the device via the block menu function.

iOS 8.0 or higher

Supervised

Change device name

Select to automatically change the device name to a mobile ID when updating the profile.

For this policy, you can send a device command to set the device name as the mobile ID.

iOS 8.0 or higher

Supervised

Allow Bluetooth Modification

Allows modifying Bluetooth settings on the device.

iOS 10.0 or higher

Supervised

Security

Policy

Description

Supported devices

Password policies

Set to apply the password policy when the screen is locked.

 

> Password strength

Set the password strength on the screen.

  • None: Set the password with a four digit number.
  • Numeric: Set the password using numbers
  • Must be alphanumeric: Set the password using alphanumeric characters.
  • Must include special characters: Set it so that the passwords must include alphanumeric and special characters.

iOS 4.0 or higher

> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before resetting the device to its factory settings.

The value can be between 0 - 10 times.

iOS 4.0 or higher

> Minimum length

Set the minimum length of the password.

The value can be between 0 - 16 characters.

iOS 4.0 or higher

> Expiration after (days)

Set the maximum number of days before the password must be reset.

The value can be between 0 - 730 days.

iOS 4.0 or higher

> Manage password history (times)

Set the minimum number of new passwords that must be used before a user can reuse the previous password.

The value can be between 0 - 50 times.

iOS 4.0 or higher

> Screenlock time (min)

Set the maximum inactive time before the screen of the device is locked. The maximum allowed time varies by device-type.

NOTE— 1, 3, and 4 minute intervals are available with iPhone. 10 and 15 minute intervals are available with iPad.

iOS 4.0 or higher

> Screenlock grace period (min)

Set the time duration for device lock after turning off a device screen without entering the password.

NOTE— Select 0 to lock the device immediately.

iOS 4.0 or higher

> Screen unlock with Touch ID

Allows screen unlock with Touch ID.

iOS 7.0 or higher

Application

Policy

Description

Supported devices

Application installation

Allows the installation of applications.

NOTE— Applications can be installed using MDM but cannot be installed using iTunes.

iOS 4.0 or higher

> Allow App Store to install Apps

Allows using the App Store for application installation.

NOTE— Applications can be installed using MDM but cannot be installed using iTunes.

iOS 9.0 or higher

Supervised

Application uninstallation

Allows applications to be deleted.

iOS 6.0 or higher

Supervised

iTunes Store

Allows using the iTunes Store.

iOS 4.0 or higher

> Explicit content on music and podcasts

Allows the purchase of explicit content from the iTunes Store.

iOS 4.0 or higher

Supervised

> Require iTunes password for every purchase

Select to require the iTunes Store password for every purchase made in the iTunes Store.

iOS 5.0 or higher

Game Center

Allows using Game Center.

iOS 6.0 or higher

Supervised

> Adding friends in Game Center

Allows adding friends in Game Center.

iOS 4.0 or higher

> Multiplayer games

Allows multiplayer games in Game Center.

iOS 4.0 or higher

Supervised

iBookstore

Allows iBookstore.

iOS 6.0 or higher

Supervised

Inappropriate content download on iBookstore

Allows downloading unrated media content.

iOS 6.0 or higher

Supervised (iOS 6.1 or below)

iMessage

Allows using the messaging application.

iOS 6.0 or higher

Supervised

YouTube

Allows using YouTube.

iOS 5.1 or lower

Find friends

Allows the Find My Friends function.

iOS 7.0 or higher

Supervised

In-app purchase

Allows in-app purchases.

iOS 4.0 or higher

Application black/whitelist Settings

Set to control the application installation policies. Both the blacklist and whitelist policies can be applied at the same time.

NOTE— If the Application black/whitelist Settings policy is set with no applications, then no other applications except for the Knox Manage agent will be allowed to be executed and installed.

iOS 4.0

> Application installation blacklist

Add applications to prohibit their installation. Blacklisted applications will be deleted even if they were previously installed.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

NOTE— An application that has been added on the Application installation whitelist cannot be added.

iOS 4.0 or higher

> Application installation whitelist

Add applications to allow their installation. Any applications not on the whitelist are deleted, even if they are not on the blacklist.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

NOTE— An application that has been added on the Application installation blacklist cannot be added.

iOS 4.0 or higher

Autonomous single app mode

Set to use Autonomous Single App Mode, which enables applications to use Single App Mode on request. This policy grants a permission to perform the Application Lock function.

iOS 7.0 or higher

Supervised

> List of apps allowing auto single app mode

Add applications to autonomously enable or disable Single App Mode.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

iOS 7.0 or higher

Supervised

To trust company app

Allows the trusted Company applications. Company applications installed before the policy has been set can still be executed.

iOS 9.0 or higher

Phone

Policy

Description

Supported devices

Modification of cellular data settings for each application

Allows modifying cellular data usage per application.

iOS 7.0 or higher

Supervised

Video calling

Allows video calling.

iOS 4.0 or higher

Voice dialing

Allows video dialing.

iOS 4.0 or higher

Background fetch for roaming

Allows background fetch when roaming.

iOS 4.0 or higher

Share

Policy

Description

Supported devices

Data transfer from managed to unmanaged applications

Allows transferring data from managed applications installed by Knox Manage to unmanaged applications installed by users.

iOS 7.0 or higher

Data transfer from unmanaged to managed applications

Allows transferring data from unmanaged applications installed by users to managed applications installed by Knox Manage.

iOS 7.0 or higher

AirDrop

Allows the use of AirDrop.

iOS 7.0 or higher

Supervised

Consider AirDrop not managed

Allows the sharing of managed documents when using AirDrop on the device.

iOS 9.0 or higher

Supervised

Browser

Policy

Description

Supported devices

Safari

Allows using Safari, the default iOS browser.

iOS 4.0 or higher

Cookies

Set the cookies permission in Safari.

  • Disallow: Disallows accepting cookies.
  • Currently only connected websites are allowed: Allows accepting cookies from the currently connected sites.
  • Only visited websites are allowed: Allows accepting cookies from the visited sites.
  • Always: Always allows cookies.

iOS 6.0 or below

JavaScript

Allows JavaScript in Safari.

iOS 6.0 or below

Autofill

Allows auto-completion of information that you enter on websites in Safari.

iOS 4.0 or higher

Block pop-ups

Allows blocking pop-ups in Safari.

iOS 4.0 or higher

Untrusted TLS certificate

Allows to accept untrusted TLS certificates.

iOS 5.0 or higher

Web forgery warning

Shows a warning message about potentially fraudulent websites.

  • Forced use: Safari is forced to display a warning message.
  • User selection: Users are allowed to select whether to use web forgery warning.

iOS 4.0 or higher

iCloud

Policy

Description

Supported devices

Backup

Allows backing up the device data on iCloud.

iOS 5.0 or higher

Document synchronization

Allows synchronizing device documents on iCloud.

iOS 5.0 or higher

iCloud Photo Library

Allows use of the iCloud Photo Library for uploading photos and videos on iCloud.

iOS 9.0 or higher

Photo stream

Allows using Photo Stream for storing personal photos on iCloud.

iOS 5.0 or higher

Photo sharing

Allows using Photo Sharing for sharing personal photos through iCloud.

iOS 6.0 or higher

Keychain synchronization

Allows synchronizing Keychain Synchronization on iCloud, which helps users to have consistent access to their user account, name, password, credit card number, email, contracts, schedule, and other user information on all their devices.

iOS 7.0 or higher

Managed app synchronization

Allows synchronizing managed applications installed by the Knox Manage server to save data on iCloud.

iOS 8.0 or higher

Handoff

Allows the use of Handoff, one of the Apple’s Continuity features, to move and continue performing the same tasks seamlessly between devices through iCloud.

iOS 8.0 or higher

Media

Policy

Description

Supported devices

Rating for each country

Select a country to set a rating level for media content, such as movies, TV shows, and applications, from below:

  • United States/United Kingdom/New Zealand/Japan/Ireland/Germany/France/Canada/Australia.

iOS 4.0 or higher

> Movies

Set the maximum allowable movie rating.

iOS 4.0 or higher

> TV Shows

Set the maximum allowable TV show rating.

iOS 4.0 or higher

> Apps

Set the advertisement tracking restriction on the device.

iOS 4.0 or higher

Wi-Fi

You can add more Wi-Fi policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each Wi-Fi setting.

Description

Enter a description for each Wi-Fi setting.

Network name (SSID)

Enter the identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Security Type

Specifies the access protocol used and whether certificates are required.

> WEP

Set a password.

> WPA/WPA2

> For all individuals

> Enterprise WEP

Configure the following items:

  • Protocol

Permitted EAP Type: Select the EAP types to permit. You can select multiple types.

EAP-FAST: Configure the EAP-FAST options. Enable the next options by clicking the previous one.

A dynamic trust decision by the user: Select whether to use the option.

Allow direct connection(Proxy URL): Select whether to use the option.

  • Authentication

One-time password for connection: Check to enable.

Manual Input: Enter the user ID and Password for the Wi-Fi connection.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Connector interworking: Choose a connector from the User information Connector.

  • Trust

Root Certificate: Select a Root Certificate to use.

> Enterprise WPA/WPA2

> For all enterprises

Hotspot Availability

Check to enable Hotspot usage and configure its settings. If this policy is enabled, the device will be connected to Wi-Fi access points that support Hotspot 2.0.

> Hotspot Domain Name

Assign an identifier to the Wi-Fi hotspot service displayed on a device.

> Operator Name

Assign the name of the network provider shown on the device.

> Roaming Consortium OI

Add a Roaming Consortium organization ID to connect to.

> Network Access ID

Add an ID to authenticate network access.

> Hotspot Operator Code

Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC).

NOTE— For SK Telecom (a South Korean wireless telecom operator) devices, enter 45005.

Hidden Network

Check the checkbox to hide the network from the list of available networks on the device. The SSID does not broadcast.

Auto Connect (iOS 5 and above)

Check the checkbox to use an automatic Wi-Fi connection.

NOTE— This setting is for iOS 5 or higher.

Protocol

Specifies the permitted protocol for the Wi-Fi network.

NOTE— This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.

> Permitted EAP Type

Select more than one permitted protocol: TLS, LEAP, EAP-FAST, TTLS, PEAP, and EAP-SIM.

NOTE— If TTLS is checked, select an extra protocol from the Internal Authentication Protocol.

> EAP-FAST

Select PAC protocols to use from the following:

  • Use PAC: Determines whether to use PAC.
  • PAC Deployment: Check the Use PAC option to enable it.
  • Anonymous PAC Deployment: Check PAC Deployment to enable it.

> A dynamic trust decision by user

Allows using a dynamic trust decision by the user protocol.

> Allow direct connection (Proxy URL)

Allows using the direct connection protocol.

Authentication

Specifics the authentication of the Wi-Fi users. This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises

> One-time password for connection

Select to ask users to enter the password whenever Wi-Fi is connected.

  • If checked, the Auto Connect setting is automatically disabled.
  • If unchecked, the Auto Connect is automatically activated.

NOTE— This setting is for iOS 5 or higher.

 

> User information input method

Specifies the user information used and whether certificates are required. Select an input method as follows:

  • Manual Input: Enter the user ID and Password for the Wi-Fi connection.
  • Connector interworking: Choose a connector from the User information Connector.

You can also click Lookup to open the reference items list and select an item from it when entering an ID for the Manual Input. The reference value will be automatically entered.

> External ID

Assign an external ID for Manual Input.

NOTE— This setting is available when either TTLS, PEAP, or EAP-FAST is selected.

> User Certificate Type

Select the user certificate type.

  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.

When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.

Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

Trust

Specifies the required certificates. This tab is enabled if the Security Type selected is Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.

> Trusted certificate name

Add the name of the Trusted certificate.

> Root Certificate

Select a Root Certificate.

Proxy

Select a proxy server settings method.

NOTE— This setting is for iOS 5 or higher.

> Manual

Configure the proxy server manually.

  • Proxy IP Address and Port: Enter the IP address of the proxy server and the port number used by the proxy server.
  • User name: Enter the username for the proxy server.
  • Proxy Authenticated User Password: Enter the password for the proxy server.

> Auto

Configure the proxy server automatically.

  • Proxy Server URL: Enter the URL of the proxy server.

Exchange

You can add more Exchange policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each Exchange setting.

Description

Enter a description for each Exchange setting.

Office365

Allows to configure the Exchange settings.

NOTE— This policy will automatically fill out the Exchange server address and the SSL option as ‘Use’.

User information input method

Select an input method for entering user information.

> Manual Input

Select to manually enter the email address, account ID, and password of a user.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

> Connector interworking

Select to choose a connector from the User Information Connector list.

NOTE— All the connectors are listed in Advanced > System Integration > Directory Connector.

> User information

Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user’s device.

Domain

Enter a domain address for the Exchange server.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Host

Enter the host name of the email server.

SSL

Set to use SSL for email encryption.

NOTE— If Office 365 setting is used, the SSL option is automatically set to ‘Use’.

User certificate input method

Select an input method for entering certificate information.

> EMM Management Certificate

Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • User Certificate: Select a certificate to use from the User Certificate list.

> Connector interworking

Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.

When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • User certificate Connector: Select a connector to use from the User certificate Connector list.

> Issuing external CA

Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

  • Issuing external CA: Select an external CA to use from the Issuing external CA list.

Sync Interval

Select the interval period to sync the past emails.

NOTE— The sync interval and synchronization are in accordance with the email application settings.

Do not move message to other accounts

Select to use the policy.

Available only on mail app

Select to use the policy.

Do not sync the recently used email address

Select to use the policy.

Activate S/MIME

Check to activate and configure S/MIME functions for email security.

> S/MIME signing certificate input method

Select EMM Management Certificate or Connector interworking.

  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.

When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

> S/MIME Signing Certificate

Available only when EMM Management Certificate is selected.

Choose the signing certificate according to the S/MIME signing certificate input method.

> S/MIME signing certificate connector

Available only when Connector interworking is selected

Choose the signing certificate connector according to the S/MIME signing certificate input method.

> S/MIME encryption certificate input method

Select EMM Management Certificate or Connector interworking.

  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

NOTE— Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.

When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

> S/MIME Encryption Certificate

Available only when EMM Management Certificate is selected.

Choose the Encryption Certificate according to the S/MIME encryption certificate input method.

> S/MIME signing certificate connector

Available only when Connector interworking is selected

Choose the signing certificate connector according to the S/MIME signing certificate input method.

> S/MIME Enable Per Message Switch

Check the checkbox to enable S/MIME per message.

VPN

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for the VPN setting.

Description

Enter a description for the VPN setting.

Connection type

Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type.

  • L2TP: Set the Shared Security and Send All Traffic options.
  • PPTP: Set the Encryption Step and Send All Traffic options.
  • IPSec (Cisco): Enter the items depending on the selected device authentication type:

If Device Authentication is set to certificate, set Domain/Host Pattern, and Action for it. And then, select a User certification input method and set to Include User PIN when a device is authenticated.

If Device Authentication is set to Shared Security/Group Name, set Group Name and Shared Security options. And then, set to Use mixed authentication and Password Request when a device is connected with VPN.

  • Cisco AnyConnect: Set the Group Name option.
  • Juniper SSL: Set the Realm and Role options. If this is selected, Pulse secure VPN, a new VPN, is supported and previous Juniper Pulse versions will not be supported.
  • SonicWALL Mobile Connect: Set the Login Group or Domain options.
  • IKEv2: For IKEv2, see configuring VPN IKEv2 connection.

Server address

Enter the IP address, host name, or URL of the VPN server that the device needs to access.

VPN Application Allocation

Select applications that will be allowed to connect to a VPN automatically.

Click Add and select applications. And then, click OK.

Safari Domain

Select URLs that will be allowed to connect to a VPN automatically on Safari.

Enter a domain address, and then click .

VPN type for each app

Select a VPN type for each application.

  • packet-tunnel: for app-layer tunneling
  • app-proxy: for packet-layer tunneling

User Connection Authentication Type

Select an authentication type for user connection between Password and RSA SecurID.

User information input method

Select an input method for entering user information.

  • Manual Input: Enter the user ID and Password for VPN connection.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

  • Connector interworking: Choose a connector from the User information Connector. All the connectors registered in Advanced > System Integration > Directory are listed in the User information Connector.
  • User Information: Use the user information registered in Knox Manage to access VPN.

ID

Set an ID for the VPN settings.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Password

Set a password for the VPN settings.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate.

NOTE— All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

User certificate: Select a certificate to use from the User Certificate list.

  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

User Information Connector: Select a connector to use from the User certificate Connector list.

  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

Issuing External CA: Select an external CA to use from the Issuing external CA list.

NOTE— User certificate input method appears only when certificate is selected in the user connection authentication type or in the device authentication.

Proxy Settings

Select the setting for the proxy server.

  • Manual: Enter the proxy IP address and port number. Then, assign a user name and proxy authenticated user password.
  • Auto: Enter the proxy server URL address.

Configuring VPN IKEv2 connection

If the connection type is set to IKEv2, you can configure the setting as follows:

1. Set the VPN auto connection settings.

  • VPN auto connection (Only devices allowed by director): Keeps VPN activated on the device.
  • Allow users to deactivate auto connection: Allows users to deactivate auto connection on the device.
  • Use the same tunnel for both cellular and Wi-Fi: Configure the VPN connection information to be used by both networks. To use different tunnels for configurations for cellular and Wi-Fi, click the Cellular and Wi-Fi tabs and enter the VPN connection information.
  • If a profile has more than two VPN settings with VPN auto connection checked, the profile will not be installed on the device.

2. Enter the information below:

Item

Description

Server address

Enter the IP address, host name, or URL of the VPN server.

Local identifier

Enter the value to identify the IKEv2 client in the format below:

  • FQDN, UserFQDN, Address, and ASN1DN

Remote identifier

Enter the value in the format below:

  • FQDN, UserFQDN, Address, and ASN1DN

System authentication

Select a VPN authentication method:

  • Security sharing: Enter the security sharing password.
  • Certificate: Select a user certificate input method. Then enter the common name of the server certificate issuer and the common name of the server certificate.

EAP activation

Determines if EAP is activated. If activated, select

  • Certificate: Select a user certificate input method.
  • Password: Enter the user ID and Password.

Dead Peer Detection speed

Set the interval for checking the usability of the VPN equipment.

NOTE— Check whether the resource should change or the content should be modified.

Encryption algorithm

Choose the Encryption algorithm.

  • IKE SA: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES- 256 GCM
  • Sub SA: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM

Integrity algorithm

Choose the Integrity algorithm.

  • IKE SA: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
  • Sub SA: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512

Diffie Hellman group

Select the group to be used for Diffie Hellman algorithm.

  • IKE SA: 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
  • Sub SA: 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21

Time(min)

Enter the session expiration period.

  • IKE SA: Between 10 and 14440. The default value is 14440.
  • Sub SA: Between 10 and 14440. The default value is 14440.

Enable NAT keepalive while the device is in sleep mode

Enable NAT Keepalive and set the interval for Keepalive.

NOTE— This item is for iOS 9 or higher.

NAT keepalive interval

Set NAT KeepAlive intervals in seconds. The default value is 20 seconds.

NOTE— This item is for iOS 9 or higher.

Use IPv4/IPv6 internal subnet properties

Select to use the IPv4/IPv6 internal subnet attribute of IKEv2.

NOTE— This item is for iOS 9 or higher.

Disable portability and multi-homing

Select to deactivate portability and multi-homing (MOBIKE).

NOTE— This item is for iOS 9 or higher.

Disable redirect

Select to disable IKEv2 connection redirection.

NOTE— This item is for iOS 9 or higher.

Enable a perfect forward secrecy

Select to enable PFS (Perfect Forward Secrecy)

NOTE— This item is for iOS 9 or higher.

Voice mail box / AirPrint

Select the allowed traffic range when using Voicemails and AirPrint.

  • Allow traffic to goes through tunnel/Allow traffic outside tunnel/Drop traffic

Captive web sheet traffic outside of VPN tunnel

Allows captive web sheet traffic outside the VPN tunnel.

Captive Network App bundle identifier

Enter the Captive Network App bundle identifier to allow and click to disallow this item.

Certificate

You can add more certificate policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each certificate setting.

Description

Enter a description for each certificate setting.

Certificate category

Select a certification category.

  • CA Certificate: Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list.
  • User certificate: Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User will appear on the list.

SSO

SSO (Single Sign On) service offers one-click access to all of the applications without additional authentication. You can add more SSO policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each SSO setting.

Description

Enter a description for each SSO setting.

Account Name

Enter the name that appears on the device.

Principal Name

Enter the principal name.

Realm

Enter a domain name that is able to use SSO. You must enter the name in upper case letters.

URL Prefixes

Enter a URL to be accessed with SSO.

Click , enter a URL, and then click .

App Identifier

Enter the bundle ID of an application that you can use through SSO. If there is no application added on the list, SSO can be used for all applications.

Click , enter the bundle ID of an application, and then click .

Cellular

Configure the cellular network settings and control how the device accesses the cellular network. If an APN has already been set, the cellular configuration will not be applied. You can add more cellular policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each cellular setting.

Description

Enter a description for each cellular setting.

AttachAPN

Configure the settings for an Attach APN.

  • Name: Enter the name for the setting. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Authentication Method: Choose PAP or CHAP.
  • Username: Enter the user name for user authentication.
  • Password: Enter the password for user authentication.

APNs

Configure the setting for an APN.

  • Name: Enter the name for the setting. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
  • Authentication Method: Choose PAP or CHAP.
  • Username: Enter the user name for user authentication.
  • Password: Enter the password for user authentication.
  • Proxy Server: Enter the IP address of a proxy server.
  • Proxy Server Port: Enter the port number of a proxy server.

AirPrint

You can add a printer to the AirPrint list on the device and configure devices and printers that exist on different networks conveniently. You can add more AirPrint policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each setting.

Description

Enter a description for each setting.

AirPrint Printer List

Add printers that support AirPrint.

Click , enter an IP address and a resource path, and then click .

For the resource path, you can enter what’s below:

  • printers/Canon_MG5300_series
  • printers/Xerox_Phaser_7600
  • ipp/print
  • Epson_IPP_Printer

Font

You can add more font policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each font setting.

Description

Enter a description for each font setting.

Font

Add a font to use on the device.

Click Add and add a font.

WebClip

You can add more WebClip policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each web clip setting.

Description

Enter a description for each web clip setting.

Label

Enter a web clip name to be displayed on the device home screen.

URL

Enter a web clip URL address.

Removable

Check the checkbox to allow users to delete the web clip account settings.

Icon

Click Add, and then click Browse to select an icon that will be displayed on the user’s device home screen. Then click OK to add.

  • The icon must be 59 x 60 px and in the PNG file format.
  • A white square image will be displayed if no icon is selected.

App Lock

You can add more App Lock policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each application lock setting.

Description

Enter a description for each application lock setting.

App Bundle ID

Enter the application bundle ID to identify applications.

Options

Check the box to configure the application lock options.

> Touch Screen

Allows device touchscreen mode.

> Screen Rotation

Enables using the landscape or portrait mode of the device screen.

> Volume Button

Enables adjusting the volume.

> Ringer Switch

Enables the easy on and off ringer mode through a ringer switch.

> Power Button

Allows turning the device on or off through the power button.

> Auto Lock

Enables automatically locking the device after a fixed amount of time through auto lock.

> VoiceOver

Turn on voice over for a screen-reading feature.

> Zoom In/Out

Turn on the zoom feature to configure easy zooming on the screen display.

> Invert Colors

Turn on color inversion to show colors on the device screen as their complementary colors.

> Assistive Touch

Allows virtual home button to perform multiple actions on the screen with a simple tab.

> Speak Selection

Turn on say optional item to select a text to be read aloud.

> Mono Audio

Turn on Mono Audio to play both audio channels in one ear using a headset.

User Enabled Options

Check the box to configure user enabled options.

> VoiceOver

Enables Voice over for the screen-reading feature.

> Zoom In/Out

Allows for configuring the easy zoom in and out feature on the display.

> Invert Colors

Allows color inversion to display colors on the device screen as their complementary colors.

> Assistive Touch

Allows virtual home button to perform multiple actions on the screen with a simple tab.

Global HTTP Proxy

You can add more global HTTP policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each global HTTP proxy setting.

Description

Enter a description for each global HTTP proxy setting.

Proxy Type

Select and enter the corresponding items depending on the proxy type.

> Manual

  • Proxy Server and Port: Enter the IP address of a proxy server and the port number of the proxy server.
  • Username: Enter the username for user authentication
  • Password: Enter the password for user authentication.

> Auto

  • Proxy PAC URL: Enter the URL of the PAC file that defines the proxy configuration.
  • Proxy PAC Fallback Allowed (iOS 7 or above): Check the checkbox to allow a direct connection from the user device if the PAC connection fails.

Proxy Captive Login Allowed (iOS 7 or above)

Check the checkbox to allow the device to bypass the proxy server to display the login page for captive networks.

AirPlay

These policies support devices with iOS 7 or above. You can add more AirPlay policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each AirPlay setting.

Description

Enter a description for each AirPlay setting.

Whitelist (Supervised)

Add an AirPlay device ID to the whitelist so that it is displayed on the user’s device.

Click , enter a device ID, and then click .

Passwords

Add an AirPlay device password.

Click , enter a device name and password, and then click .

Web Content Filter

You can add a specific URL to the whitelist or blacklist. These policies support devices with iOS 7 or higher in Supervised mode. You can add more web content filter policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each setting.

Description

Enter a description for each setting.

Auto Filter Enabled

Check the checkbox to use the auto filter function.

Blacklisted URLs

Add a URL to allow access to.

Click , enter a URL, and then click .

Permitted URLs

Add a URL to block access to.

Click , enter a URL, and then click .

Whitelisted Bookmarks

Add a bookmark to allow for access.

Click , enter a URL, title, and path, and then click .

Managed domains

Set managed domains and protect corporate data. You can control what apps can open documents downloaded from corporate domains using Safari. These policies support the devices with iOS 8 or higher in Supervised mode. You can add more managed domains policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each setting.

Description

Enter a description for each setting.

Email domains

Add a domain to specify as a corporate domain for emails.

Click , enter a URL, and then click .

Web domains

Add a domain to specify a corporate domain for the web.

Click , enter a URL, and then click .

Network Usage Rules

Configure network usage rules to allow data roaming and cellular data for applications. You can add more network usage rules policy sets by clicking .

Policy

Description

Configuration ID

Assign a unique ID for each setting.

Description

Enter a description for each setting.

Managed app Network Settings

Add an application and allow cellular data and data roaming.

Click , add an application, set the data settings, and then click .