Set dynamic group syntax
Last updated November 19th, 2025
This page outlines how you can set custom membership rules for dynamic groups using the Knox Manage Expression Language (EL). For more information on creating dynamic groups, see Register a group.
How the Knox Manage Expression Language (EL) works
The Knox Manage EL is based on the MVFLEX Expression Language (MVEL) and uses a subset of its functionalities. While many functionalities are supported, the following functionalities offered by MVEL aren’t supported in the Knox Manage EL:
With the Knox Manage EL, you create group rules by setting the syntax of one or more expressions. Expressions can reference, transform, and combine attributes. For example, you can use a custom expression to remove @company.com from an email address, or combine the firstName and lastName attributes into a single name.
The syntax of each expression combines the following fields: object, attribute, operator, and value.
- Object — Defines whether you’re creating a rule for a user group or a device group.
- Attribute — Sets the attribute you want to define groups by, such as User ID or Device Name. Attributes differ for user groups and device groups. See the bottom of the page for a list of supported attributes.
- Operator — Defines the comparison operator between the attribute and the value, such as equals or greater than. See the table below for a list of supported operators for rules with a single expression.
- Value — Determines the possible configurations for each attribute. For example, if you set a rule where the attribute is Lock Status, the values are Locked or Unlocked.
Supported operators
The table below lists all of the supported operators and their syntax for rules with a single expression.
| Operator | Syntax | Example |
|---|---|---|
Equals
|
== |
user.userId == 'testuser'
|
Not equals
|
!= |
user.userId != 'testuser'
|
Greater than (Numeric)
|
> |
device.lastSeenDay > 10
|
Greater than (Date)
|
Utils.dateCompare(<property>, <value>, 'GT', <timezoneoffset>) |
Utils.dateCompare(user.created, '2025-07-17', 'GT', 32400000)
|
Greater than or equal to (Numeric)
|
>= |
device.lastSeenDay >= 10
|
Greater than or equal to (Date)
|
Utils.dateCompare(<property>, <value>,'GE', <timezoneoffset>) |
Utils.dateCompare(user.created, '2025-07-17', 'GE', 32400000)
|
Less than (Numeric)
|
< |
device.lastSeenDay < 10
|
Less than (Date)
|
Utils.dateCompare(<property>, <value>, LT, <timezoneoffset>) |
Utils.dateCompare(user.created, '2025-07-17', 'LT', 32400000)
|
Less than or equal to (Numeric)
|
<= |
device.lastSeenDay <= 10
|
Less than or equal to (Date)
|
Utils.dateCompare(<property>, <value>, 'LE', <timezoneoffset>) |
Utils.dateCompare(user.created, '2025-07-17', 'LE', 32400000)
|
In
|
Utils.arraysIn(<property>, <values>) |
Utils.arraysIn(device.tags, ['tag1', 'tag2'])
|
Not in
|
Utils.arraysNotIn(<property>, <values>) |
Utils.arraysNotIn(device.tags, ['tag1', 'tag2'])
|
Starts with
|
Utils.startsWith(<property>, <values>) |
Utils.startsWith(device.mobileId, 'android')
|
Not starts with
|
Utils.notStartsWith(<property>, <values>) |
Utils.notStartsWith(device.mobileId, 'android')
|
Is blank
|
Utils.isBlank(<property>) |
Utils.isBlank(user.userId)
|
Is not blank
|
Utils.isNotBlank(<property>) |
Utils.isNotBlank(user.userId)
|
Contains
|
Utils.contains(<property>, <value>) |
Utils.contains(user.department, 'aa')
|
Not contains
|
Utils.notContains(<property>, <value>) |
Utils.notContains(user.department, 'aa')
|
Rules with a single expression
A single expression is the simplest type of membership rule. You can use single expressions when you want to create a rule that references a single attribute and operator.
Below is an example of a single expression rule which groups users in the sales department:
user.department == 'sales'
|
|---|
The total body of your rule can’t exceed 1,000 characters.
Rules with multiple expressions
You can use multiple expressions when you want to create a rule that references multiple attributes and operators. To combine multiple expressions, enclose each expression with parentheses and use the && or || operators between them. There is no limit to the number of expressions you can string together.
Below is an example of a rule with multiple expressions which groups devices that are enrolled through KME or Android devices:
(Utils.arraysIn(device.deviceStatus, ['A'])) && (device.enrolledType == 'KME') || (device.platform == ‘A')
|
|---|
Additionally, to compare the value of an attribute against multiple values, you can use the In and Not in operators. Use [ ] to begin and end the list of values.
Below is an example of an expression using the In operator to groups users with specific tags.
Utils.arraysIn(user.tags, ['tag1','tag2','tag3','tag4','tag5','tag6'])
|
|---|
The total body of your rule can’t exceed 1,000 characters
Create a rule for all users
You can create a group that contains all users within a tenant. When users are added or removed from the tenant in the future, the group’s membership adjusts automatically.
To construct a rule for all users, use a single expression with the Is not blank operator.
Utils.isNotBlank(user.userId)
|
|---|
Create a rule for all devices
You can create a group that contains all devices within a tenant. When devices are added or removed from the tenant in the future, the group’s membership is adjusted automatically.
To construct a rule for all devices, use a single expression with the Is not blank operator.
Utils.isNotBlank(device.deviceId)
|
|---|
Supported user attributes
You can use three types of attributes to construct a membership rule for user groups:
- Date
- String
- String collection
See the tables below for a list of supported attributes.
Date
| Property | Allowed values | Usage |
|---|---|---|
created
|
Fixed date format(yyyy-MM-dd) |
Utils.dateCompare(user.created, '2025-07-17', 'GT', 32400000)
|
String
| Property | Allowed values | Usage |
|---|---|---|
userId
|
Any string value |
user.userId == 'testuser'
|
userName
|
Any string value or null |
user.userName != 'patrick'
|
firstName
|
Any string value or null |
Utils.isBlank(user.firstName)
|
middleName
|
Any string value or null |
Utils.startsWith(user.middleName,'famil')
|
lastName
|
Any string value or null |
Utils.startsWith(user.lastName,'famil')
|
displayName
|
Any string value or null |
Utils.isNotBlank(user.displayName)
|
empNo
|
Any string value or null |
user.empNo == '995641'
|
department
|
Any string value or null |
user.department == 'DEV'
|
managerDn
|
Any string value or null |
user.managerDn == 'CN=admin,CN=Users,DC=dev,DC=com'
|
email
|
Any string value |
user.email == 'admin8012@samsung.com'
|
emailUserName
|
Any string value or null |
user.emailUserName == 'admin8012'
|
contact
|
Any string value or null |
user.contact == '+82103334444'
|
mobilePhone
|
Any string value or null |
Utils.startsWith(user.mobilePhone, '+8210')
|
upn
|
Any string value or null |
Utils.isNotBlank(user.upn)
|
dn
|
Any string value or null |
user.dn == 'CN=Guest,CN=Users,DC=dev,DC=com'
|
orgCode
|
Any string value or null |
user.orgCode != 'MS360'
|
positionCode
|
Any string value or null |
user.positionCode == 'DEV0001'
|
siteCode
|
Any string value or null |
user.siteCode == 'EU08'
|
securityLevelCode
|
Any string value or null |
Utils.isNotBlank(user.securityLevelCode)
|
reserved01
|
Any string value or null |
user.reserved01 == 'Marketing'
|
reserved02
|
Any string value or null |
user.reserved02 == 'Marketing'
|
reserved03
|
Any string value or null |
user.reserved03 == 'Marketing'
|
orgName
|
Any string value or null |
Utils.startsWith(user.orgName, 'Sale')
|
enabled
|
|
user.enabled == '1'
|
vppStatus
|
Invited, Registered, Retired, or null |
user.vppStatus == 'Registered'
|
userType
|
|
user.userType == '1'
|
String collection
| Property | Allowed values | Usage |
|---|---|---|
tags
|
Any string values or null |
Utils.arraysIn(user.tags, ['China_User', 'Japan_User'])
|
Supported device attributes
You can use three types of attributes to construct a membership rule for device groups:
- Date
- String
- String collection
- Security
- Network
- Security Detail
See the tables below for a list of supported attributes.
Date
| Property | Allowed values | Usage |
|---|---|---|
updated
|
Fixed date format (yyyy-MM-dd) |
Utils.dateCompare(device.updated, '2025-07-17', 'GT', 32400000)
|
String
| Property | Allowed values | Usage |
|---|---|---|
mobileId
|
Any string value |
device.mobileId == 'Android_US_01'
|
alias
|
Any string value or null |
device.alias == 'Wear'
|
enrolledType
|
|
device.enrolledType == 'KME'
|
buildNumber
|
Any string value or null |
device.buildNumber == '10.12.130'
|
imei
|
Any string value or null |
Utils.startsWith(device.imei, '3698569')
|
secondaryImei
|
Any string value or null |
device.secondaryImei == '97898569'
|
imsi
|
Any string value |
device.imsi == '310170845466094'
|
isDeviceLock
|
Locked, Unlocked, null |
device.isDeviceLock == 'Locked' Utils.isBlank(device.isDeviceLock)
|
macAddress
|
Any string value or null |
device.macAddress != '00:1A:2B:3C:4D:5E'
|
managementType
|
|
Utils.arraysIn(device.managementType, ['DO','PO'])
|
phone
|
Any string value or null |
device.phone == '0103659852'
|
deviceModel
|
Any string value or null |
device.deviceModel == 'SGH-9062'
|
deviceVersionName
|
Any string value or null |
device.deviceVersionName == '3.2'
|
platform
|
|
Utils.arraysNotIn(device.platform, ['W','M'])
|
serialNumber
|
Any string value or null |
device.serialNumber == 'R38K40KFSFB'
|
deviceStatus
|
|
device.deviceStatus == 'A'
|
userId
|
Any string value |
device.userId == 'androidUser'
|
controlType
|
|
device.controlType == 'AMAPI' Utils.isBlank(device.controlType)
|
sharedDeviceType
|
|
device.sharedDeviceType == 'M' Utils.isBlank(device.sharedDeviceType)
|
knoxManageType
|
LEGACY, KNOX, null |
device.knoxManageType == 'LEGACY'
|
deviceType
|
|
device.deviceType == 'UE'
|
String collection
| Property | Allowed values | Usage |
|---|---|---|
tags
|
Any string values or null |
Utils.arraysIn(device.tags, ['deviceTag1', 'deviceTag2'])
|
Security
| Property | Allowed values | Usage |
|---|---|---|
security.deviceUnlockCode
|
Any string value or null |
Utils.isNotBlank(device.security.deviceUnlockCode)
|
security.devicePasswordCompliant
|
Sufficient, Insufficient, NA, null |
device.security.devicePasswordCompliant == 'NA'
|
security.isRooting
|
|
device.security.isRooting == 'Modified'
|
security.appIsRooting
|
|
device.security.appIsRooting == 'N'
|
security.isUnauthorizedContainerInstalled
|
Installed, NotInstalled, null |
Utils.isBlank(device.security.isUnauthorizedContainerInstalled)
|
security.fingerprintPassword
|
|
Utils.isBlank(device.security.fingerprintPassword)
|
| security.irisPassword |
|
Utils.isBlank(device.security.irisPassword)
|
Security details
| Property | Allowed values | Usage |
|---|---|---|
securityDetail.kioskPackageName
|
Any string value or null |
Utils.isNotBlank(device.securityDetail.kioskPackageName)
|
securityDetail.safetyNet
|
|
device.securityDetail.safetyNet == 'Failure'
|
securityDetail.playIntegrity
|
|
device.securityDetail.playIntegrity == 'Failure'
|
securityDetail.appIsRooting
|
|
device.securityDetail.appIsRooting == 'N'
|
securityDetail.keepaliveUnmanaged
|
|
device.securityDetail.keepaliveUnmanaged == 'Managed'
|
Network
| Property | Allowed values | Usage |
|---|---|---|
network.deviceWifiStatus |
Enabled, Disabled, Unknown, or null | device.network.deviceWifiStatus == 'Enabled' |
network.wifiStatus |
Connected, Disconnected, or null | device.network.wifiStatus == 'Connected' |
network.wifiIpAddress |
Any string value or null | device.network.wifiStatus == 'Connected' |
network.cellularIpAddress |
Any string value or null | device.network.cellularIpAddress == '24.123.133.22' |
network.ssid |
Any string value or null | device.network.ssid == 'knoxcloud' |
network.bssid |
Any string value or null | device.network.bssid == '90:9f:33:a5:39:aa' |
network.simStatus |
Absent, Ready or null | device.network.simStatus == 'Ready' |
network.subscriberMcc |
Any string value or null | Utils.isBlank(device.network.subscriberMcc) |
network.currentMcc |
Any string value or null | Utils.isBlank(device.network.currentMcc) |
network.isRoaming |
|
device.network.simStatus == 'Roaming' |
network.fivegNetworkSlicing |
|
Utils.arraysIn(device.network.fivegNetworkSlicing, ['Allow','AllowPerApp']) |