Android Enterprise device commands
Last updated January 22nd, 2024
The available commands for a device vary based on its management mode. For fully managed with work profile devices, you can select either the whole device or just the work profile as the recipient of the command.
Device
| Device command | Description | Supported system |
|---|---|---|
| Push Profile | Pushes and applies the latest profile and app information to the device. |
Android 6 and higher Shared device Non-shared device |
| Enable EAS (Samsung Email App Only) | Allows using Exchange ActiveSync for Samsung Email app. | Work profile — Android 6 and higher |
| Disable EAS (Samsung Email App Only) | Disallows using Exchange ActiveSync for Samsung Email app. | Work profile — Android 6 and higher |
| Lock Device |
Locks the device. You can enter a reason for locking the device and a phone number to contact when the device is lost. The information you provide when sending a lock device command shows on the screen of the locked device. The following characters aren't supported in the lock screen message: \, ", [, and ]. |
Non-Samsung device — Android 6–8 Samsung device — Android 6 and higher Non-shared device |
| Unlock Device |
Unlocks a locked device using the Unlock Code available on the Device Details page. You can share the unlock code with the device user, who can enter it on the screen and unlock the device. You can use the Clear Screen Lock device command to remove the password from a device that's locked due to the device user entering an incorrect password too many times or forgetting the password. |
Non-Samsung device — Android 6–8 Samsung device — Android 6 and higher Non-shared device |
| Lock Screen | Locks the device screen. If the device's screen is password-locked, then the user needs to enter the password to access the device again. |
Android 6 and higher Non-shared device |
| Lock SIM PIN |
Places a lock on the SIM card's PIN to prevent the use of the SIM card on another device. To lock a SIM PIN, enter the current SIM PIN and then enter a new PIN. If the locked SIM card is registered to another device, the device is locked and the user must enter the new PIN to unlock it. |
|
| Unlock SIM PIN |
Removes the lock placed on a SIM card's PIN. To unlock a SIM PIN, enter the current PIN that was applied through Knox Manage, and then enter the initial (default) SIM PIN. You can find the current PIN on the Device Details page > Network tab > SIM PIN Applied by Knox Manage. |
Android 6 and higher |
| Factory Reset |
Performs a factory reset on the device and changes the device status to Unenrolled. Initialize SD Card when factory reset — Select to initialize the SD card during the factory reset. Deactivate Factory Reset Protection — This option is only available when the profile is applied with the Factory Reset Protection policy or when you send the command to multiple devices. Click the check box to perform a factory reset without the Factory Reset Protection policy. |
Android 6 and higher Non-shared device |
| Power Off Device |
Turns off the device. |
Non-Samsung device — Android 10 and higher Samsung device — Android 6 and higher Non-shared device |
| Reboot Device | Reboots the device. |
Android 6 and higher Non-shared device |
| Clear Screen Lock |
Clears the password and resets the lock on the device. For devices running Android 8 and higher, the device user must set a new lock before they can continue operating the device. For devices running Android 6–7.1.2, a temporary password is set on the device. After resetting the lock, you must deliver the temporary password to the device user, after which they can set a new personalized lock. For full details about this temporary password process, see How to reset the lock on a device. The device user can skip setting a new lock and continue using the temporary password indefinitely, which is a potential security risk. If possible, encourage them to set a new password. This command fails to take effect if the device meets all of these conditions:
The Clear Screen Lock device command is not supported for password policies set through the Knox Service Plugin. |
Android 6 and higher |
| Reset SD Card |
Initializes the external SD card of the device. For devices with the External SD Card policy is set to Disallowed in the profile, you can't reset the SD card using the device command, because the policy takes a higher priority than the device command. |
Android 6 and higher |
| Reset Data Usage |
Resets data usage among the Android device's inventory information:
|
Non-Samsung device — Android 10 and higher Samsung device — Android 6 and higher |
| Reset Number of Calls | Resets the number of calls and number of missed calls from the Android device's inventory information. | Android 6 and higher |
| Delete a CA Certificate | Deletes certificates installed by Knox Manage. You can select a certificate to delete. | Android 6 and higher |
| Delete a User Certificate | Deletes certificates installed by the administrator. You can select a certificate to delete. | Android 6 and higher |
| Delete a User Install Certificate | Deletes all the certificates installed by the administrator. | Android 6 and higher |
| Delete a Work Profile CA Certificate | Deletes certificates installed by Knox Manage to the work profile. You can select a certificate to delete. |
Android 6 and higher Shared device |
| Delete a Work Profile User Certificate | Deletes certificates installed by the administrator to the work profile. You can select a certificate to delete. |
Android 6 and higher Shared device |
| Delete a Work Profile User Install Certificate | Deletes all the certificates installed by the administrator to the work profile. |
Android 6 and higher Shared device |
Application
| Device command | Description | Supported system |
|---|---|---|
| Install or Update App |
Installs or updates an app on the device. If the device user has uninstalled the app, then the app can't be re-installed by this command. On the Request Command page, select an app to be installed or updated. The app installation allowlist and blocklist policy take precedence over this command. If an app is blocked, then this command can't install it. |
Android 6 and higher Shared device Non-shared device |
| Run App |
Runs an app on the device. The app installation allowlist and blocklist policies take precedence over this command. If an app is explicitly allowed, then this command can't uninstall it. |
Android 6 and higher Shared device |
| Uninstall App |
Deletes an app from the device. The app installation allowlist and blocklist policies take precedence over this command. If an app is explicitly allowed, then this command can't uninstall it. |
Android 6 and higher Shared device Non-shared device |
| Apply Latest internal App Information | Sends the latest internal app information and updates the device according to the information. | Android 6 and higher |
| Delete App Data | Delete an app's data from the device. |
Android 6 and higher Shared device Non-shared device |
Work Profile Controls
| Device command | Description | Supported system |
|---|---|---|
| Clear (Reset) Work Profile Password |
Initializes the work profile lock, if available. The device user must set a new lock before they can access work profile apps. The Clear (Reset) Work Profile Password device command is not supported for password policies set through the Knox Service Plugin. |
Android 6 and higher Shared device |
| Lock Screen | If the work profile has a lock separate from the personal profile, it locks. The next time the device user accesses a work profile app, they must unlock the work profile before they can continue. |
Android 6 and higher Shared device |
Knox Manage
| Device command | Description | Supported system |
|---|---|---|
| Push Notification |
Sends an emergency message to the device. The message icon shows on the status bar of the device. You can set a push notification message of up to 80 characters. On the Push Notification page, enter the title and content of the message. You can also select between Notification and Pop up for the send type.
|
Android 6 and higher Shared device |
| Unenroll Device | Unenrolls a selected device on the device list. Select Remove Work Profile only to remove installed Knox Manage agents and all device management policies from a device. No factory reset is required and the device user can continue using the device without losing any data. |
Android 6 and higher Shared device Non-shared device |
| Update License | Updates the license of a selected device on the device list. This command runs in the Direct Boot mode — that is, it automatically applies when the device is powered on, even if the user hasn't unlocked it. |
Android 6 and higher Non-shared device |
| Update Knox Manage Agent |
Updates the Knox Manage agent on the device for a new patch or version. The agent information registered in the Knox Manage server is sent to the device, which then selects the appropriate agent to request installation files from the server. |
Android 6 and higher Non-shared device |
| Update User Information |
Updates the device user information, such as the user activation status/username/user settings (Knox Browser website URL information, bookmark information) and license information. If the user is signed out from the enrolled device, you can send this device command to enable the user to sign in to Knox Manage automatically. |
Android 6 and higher Shared device |
| Lock Screen of Knox Manage Agent |
Locks the Knox Manage agent. When the agent is locked, the device user must enter the agent's password that was configured during enrollment. If the user forgets the password, you can send the Delete Account command to sign the user out. Then, they can reset the password upon sign in. |
Android 6 and higher |
| Unlock Knox Manage Agent | Unlocks the Knox Manage agent. | Android 6 and higher |
| Delete Account | Deletes the account registered in the Knox Manage agent. |
Android 6 and higher Shared device |
| Exit Kiosk Mode | Exits Kiosk mode without unenrolling the device. You can find the status of the kiosk on the Knox Manage console, on Device Details page > Security tab. | Android 6 and higher |
| Exit non-shared device mode | Disables the sign-in screen of non-shared mode, allowing the device's primary account to be used. |
Android 6 and higher Non-shared device |
| Convert License | Convert the device's Knox Manage license to a Knox Suite license. This command runs in the Direct Boot mode — that is, it automatically applies when the device is powered on, even if the user hasn't unlocked it. |
Android 6 and higher Non-shared device |
| Collect Audit Log | Collects the Knox Manage audit logs of the device. When the log size exceeds the maximum size, logs are automatically sent to the server, but the log file may be lost. For more detailed information, see View the audit list. |
Android 6 and higher Shared device Non-shared device |
| Collect Device Log | Gathers the log data from the device. |
Android 6 and higher Shared device |
| Collect Diagnosis Information |
Gathers the device log to diagnose the cause of a device lock. Personally identifiable or sensitive information is masked. |
Android 6 and higher Shared device Non-shared device |
| Collect Bug Report |
Collect the device's bug report, also known as dumpstate logs. The device user is then prompted to send the report, and they can choose whether to send it. You can view the bug report by selecting the device and viewing its device log. Alternatively, you can go to History > Device Log and select the relevant device. |
Android 6 and higher Non-shared device |
| Reset Push Token |
Creates and registers a new Firebase Cloud Messaging (FCM) token for the Knox Manage agent on the device. Use this command in scenarios where the device can't receive push notifications, which typically occurs when the token changed on the Knox Manage server and the device was unable to sync it. |
Android 6 and higher Non-shared device |
Register Managed Google Play Account |
Assigns the Managed Google Play Account associated with your tenant to the device. Use this command if the Managed Google Play Account wasn't registered on the device during enrollment. |
Android 6 and higher |
| Play Alarm Sound | Sounds an alarm on the device until the device user takes action. On a non-kiosk device, the alarm is accompanied by a push notification from the Knox Manage agent. On a kiosk, it's accompanied by a popup. The alarm sounds regardless of the device's mute and vibration settings. | Android 6 and higher |
| Reapply KSP Wi-Fi Configurations | Syncs all Wi-Fi configurations defined by Knox Service Plugin policies. This command is helpful in situations where the device user has removed a configured Wi-Fi network from the network settings. | Android 6 and higher |
| Check Out User | Forces the user session to end on a shared device. |
Android 6 and higher Shared device |
Device Info Sync
| Device command | Description | Supported system |
|---|---|---|
| Collect HW Status | Gathers the latest hardware information from the device. |
Android 6 and higher Shared device |
| Collect current location | Gathers current location data from the device. |
Android 6 and higher Shared device |
| Sync Device Information | Updates the inventory and app information on the device. |
Android 6 and higher Shared device Non-shared device |
| Sync Installed App List | Pulls the device's app list. |
Android 6 and higher Shared device Non-shared device |
| Authenticate SIM Card | Authenticates the SIM card on the device. | Android 6 and higher |
| Authenticate SD Card | Authenticates the external SD card on the device. | Work profile — Android 6 and higher |
| Attestation | Checks if the device's OS is compromised. The result of the check can be found in the device details. | Android 6 and higher |
| Play Integrity (SafetyNet Attestation) | Initiates an integrity check of the device, which evaluates the integrity of the hardware and software on the device. The specifics of the evaluation depend on the device's Android version. The result of the evaluation can be found in the device details. |
Android 6 and higher Shared device |
On this page
Is this page helpful?