Home / Knox Manage / Configure / Groups / Create groups /

Set dynamic group syntax

Last updated November 6th, 2025

This document is new for the Knox cloud services 25.11 UAT.

On this tab

This page outlines how you can set custom membership rules for dynamic groups using the Knox Manage Expression Language (EL). For more information on creating dynamic groups, see Register a group.

How the Knox Manage Expression Language (EL) works

The Knox Manage EL is based on the MVFLEX Expression Language (MVEL) and uses a subset of its functionalities. While many functionalities are supported, the following functionalities offered by MVEL aren’t supported in the Knox Manage EL:

With the Knox Manage EL, you create group rules by setting the syntax of one or more expressions. Expressions can reference, transform, and combine attributes. For example, you can use a custom expression to remove @company.com from an email address, or combine the firstName and lastName attributes into a single name.

The syntax of each expression combines the following fields: object, attribute, operator, and value.

  • Object — Defines whether you’re creating a rule for a user group or a device group.
  • Attribute — Sets the attribute you want to define groups by, such as User ID or Device Name. Attributes differ for user groups and device groups. See the bottom of the page for a list of supported attributes.
  • Operator — Defines the comparison operator between the attribute and the value, such as equals or greater than. See the table below for a list of supported operators for rules with a single expression.
  • Value — Determines the possible configurations for each attribute. For example, if you set a rule where the attribute is Lock Status, the values are Locked or Unlocked.

Supported operators

The table below lists all of the supported operators and their syntax for rules with a single expression.

Operator Syntax Example
Equals == user.userId == 'testuser'
Not equals != user.userId != 'testuser'
Greater than (Numeric) > device.lastSeenDay > 10
Greater than (Date) Utils.dateCompare(<property>, <value>, 'GT', <timezoneoffset>) Utils.dateCompare(user.created, '2025-07-17', 'GT', 32400000)
Greater than or equal to (Numeric) >= device.lastSeenDay >= 10
Greater than or equal to (Date) Utils.dateCompare(<property>, <value>,'GE', <timezoneoffset>) Utils.dateCompare(user.created, '2025-07-17', 'GE', 32400000)
Less than (Numeric) < device.lastSeenDay < 10
Less than (Date) Utils.dateCompare(<property>, <value>, LT, <timezoneoffset>) Utils.dateCompare(user.created, '2025-07-17', 'LT', 32400000)
Less than or equal to (Numeric) <= device.lastSeenDay <= 10
Less than or equal to (Date) Utils.dateCompare(<property>, <value>, 'LE', <timezoneoffset>) Utils.dateCompare(user.created, '2025-07-17', 'LE', 32400000)
In Utils.arraysIn(<property>, <values>) Utils.arraysIn(device.tags, ['tag1', 'tag2'])
Not in Utils.arraysNotIn(<property>, <values>) Utils.arraysNotIn(device.tags, ['tag1', 'tag2'])
Starts with Utils.startsWith(<property>, <values>) Utils.startsWith(device.mobileId, 'android')
Not starts with Utils.notStartsWith(<property>, <values>) Utils.notStartsWith(device.mobileId, 'android')
Is blank Utils.isBlank(<property>) Utils.isBlank(user.userId)
Is not blank Utils.isNotBlank(<property>) Utils.isNotBlank(user.userId)
Contains Utils.contains(<property>, <value>) Utils.contains(user.department, 'aa')
Not contains Utils.notContains(<property>, <value>) Utils.notContains(user.department, 'aa')

Rules with a single expression

A single expression is the simplest type of membership rule. You can use single expressions when you want to create a rule that references a single attribute and operator.

Below is an example of a single expression rule which groups users in the sales department:

user.department == 'sales'

The total body of your rule can’t exceed 1,000 characters.

Rules with multiple expressions

You can use multiple expressions when you want to create a rule that references multiple attributes and operators. To combine multiple expressions, enclose each expression with parentheses and use the && or || operators between them. There is no limit to the number of expressions you can string together.

Below is an example of a rule with multiple expressions which groups devices that are enrolled through KME or Android devices:

(Utils.arraysIn(device.deviceStatus, ['A'])) && (device.enrolledType == 'KME') || (device.platform == ‘A')

Additionally, to compare the value of an attribute against multiple values, you can use the In and Not in operators. Use [ ] to begin and end the list of values.

Below is an example of an expression using the In operator to groups users with specific tags.

Utils.arraysIn(user.tags, ['tag1','tag2','tag3','tag4','tag5','tag6'])

The total body of your rule can’t exceed 1,000 characters

Create a rule for all users

You can create a group that contains all users within a tenant. When users are added or removed from the tenant in the future, the group’s membership adjusts automatically.

To construct a rule for all users, use a single expression with the Is not blank operator.

Utils.isNotBlank(user.userId)

Create a rule for all devices

You can create a group that contains all devices within a tenant. When devices are added or removed from the tenant in the future, the group’s membership is adjusted automatically.

To construct a rule for all devices, use a single expression with the Is not blank operator.

Utils.isNotBlank(device.deviceId)

Supported user attributes

You can use three types of attributes to construct a membership rule for user groups:

  • Date
  • String
  • String collection

See the tables below for a list of supported attributes.

Date

Property Allowed values Usage
created Fixed date format(yyyy-MM-dd) Utils.dateCompare(user.created, '2025-07-17', 'GT', 32400000)

String

Property Allowed values Usage
userId Any string value user.userId == 'testuser'
userName Any string value or null user.userName != 'patrick'
firstName Any string value or null Utils.isBlank(user.firstName)
middleName Any string value or null Utils.startsWith(user.middleName,'famil')
lastName Any string value or null Utils.startsWith(user.lastName,'famil')
displayName Any string value or null Utils.isNotBlank(user.displayName)
empNo Any string value or null user.empNo == '995641'
department Any string value or null user.department == 'DEV'
managerDn Any string value or null user.managerDn == 'CN=admin,CN=Users,DC=dev,DC=com'
email Any string value user.email == 'admin8012@samsung.com'
emailUserName Any string value or null user.emailUserName == 'admin8012'
contact Any string value or null user.contact == '+82103334444'
mobilePhone Any string value or null Utils.startsWith(user.mobilePhone, '+8210')
upn Any string value or null Utils.isNotBlank(user.upn)
dn Any string value or null user.dn == 'CN=Guest,CN=Users,DC=dev,DC=com'
orgCode Any string value or null user.orgCode !=  'MS360'
positionCode Any string value or null user.positionCode == 'DEV0001'
siteCode Any string value or null user.siteCode == 'EU08'
securityLevelCode Any string value or null Utils.isNotBlank(user.securityLevelCode)
reserved01 Any string value or null user.reserved01 == 'Marketing'
reserved02 Any string value or null user.reserved02 == 'Marketing'
reserved03 Any string value or null user.reserved03 == 'Marketing'
orgName Any string value or null Utils.startsWith(user.orgName, 'Sale')
enabled
  • 1: Enabled
  • 0: Disabled
 user.enabled == '1'
vppStatus Invited, Registered, Retired, or null user.vppStatus == 'Registered'
userType
  • 1: Directory
  • 0: Knox Manage
 user.userType == '1'

String collection

Property Allowed values Usage
tags Any string values or null Utils.arraysIn(user.tags, ['China_User', 'Japan_User'])

Supported device attributes

You can use three types of attributes to construct a membership rule for device groups:

  • Date
  • String
  • String collection
  • Security
  • Network
  • Security Detail

See the tables below for a list of supported attributes.

Date

Property Allowed values Usage
updated Fixed date format (yyyy-MM-dd) Utils.dateCompare(device.updated, '2025-07-17', 'GT', 32400000)

String

Property Allowed values Usage
mobileId Any string value device.mobileId == 'Android_US_01'
alias Any string value or null device.alias == 'Wear'
enrolledType
  • KME: Knox Mobile Enrollment
  • DEP: Automated Device Enrollment
  • ZT: Zero-Touch
  • WB: Windows Bulk Enrollment
  • WA: MS Entra ID
 device.enrolledType == 'KME'
buildNumber Any string value or null device.buildNumber == '10.12.130'
imei Any string value or null Utils.startsWith(device.imei, '3698569')
secondaryImei Any string value or null device.secondaryImei == '97898569'
imsi Any string value device.imsi == '310170845466094'
isDeviceLock Locked, Unlocked, null device.isDeviceLock == 'Locked' Utils.isBlank(device.isDeviceLock)
macAddress Any string value or null device.macAddress !=  '00:1A:2B:3C:4D:5E'
managementType
  • DO: Fully Managed
  • COWP: Work Profile on Company Owned
  • PO: Work Profile (Caution: If an unenrolled device status condition is added or there is no platform condition, the group may not be configured as intended.)
Utils.arraysIn(device.managementType, ['DO','PO'])
phone Any string value or null device.phone == '0103659852'
deviceModel Any string value or null device.deviceModel == 'SGH-9062'
deviceVersionName Any string value or null device.deviceVersionName == '3.2'
platform
  • A: Android
  • I: iOS
  • W: Windows
  • AW: Wear OS
  • M: Mac OS
 Utils.arraysNotIn(device.platform, ['W','M'])
serialNumber Any string value or null device.serialNumber == 'R38K40KFSFB'
deviceStatus
  • P: Provisioning
  • A: Enrolled
  • BS: Disconnected
  • BL: Expired
  • I: Unenrolled
 device.deviceStatus == 'A'
userId Any string value device.userId == 'androidUser'
controlType
  • null: KMDPC
  • AMAPI: AMAPI
 device.controlType == 'AMAPI' Utils.isBlank(device.controlType)
sharedDeviceType
  • null: Non-Shared
  • M: Shared (Persistent)
  • S: Shared (Temporary)
 device.sharedDeviceType == 'M' Utils.isBlank(device.sharedDeviceType)
knoxManageType LEGACY, KNOX, null device.knoxManageType == 'LEGACY'
deviceType
  • null: Device Enrollment
  • UE: User Enrollment
 device.deviceType == 'UE'

String collection

Property Allowed values Usage
tags Any string values or null Utils.arraysIn(device.tags, ['deviceTag1', 'deviceTag2'])

Security

Property Allowed values Usage
security.deviceUnlockCode Any string value or null Utils.isNotBlank(device.security.deviceUnlockCode)
security.devicePasswordCompliant Sufficient, Insufficient, NA, null device.security.devicePasswordCompliant == 'NA'
security.isRooting
  • Official: Normal
  • Modified: Violated
 device.security.isRooting == 'Modified'
security.appIsRooting
  • N: Normal
  • Y: Violated
  • null: Unchecked
 device.security.appIsRooting == 'N'
security.isUnauthorizedContainerInstalled Installed, NotInstalled, null Utils.isBlank(device.security.isUnauthorizedContainerInstalled)
security.fingerprintPassword
  • Support: Supported
  • NotSupport: Not Supported
  • null: Unchecked
 Utils.isBlank(device.security.fingerprintPassword)
security.irisPassword
  • Support: Supported
  • NotSupport: Not Supported
 Utils.isBlank(device.security.irisPassword)

Security details

Property Allowed values Usage
securityDetail.kioskPackageName Any string value or null Utils.isNotBlank(device.securityDetail.kioskPackageName)
securityDetail.safetyNet
  • Success: Normal
  • Failure: Violated
  • None: Unchecked
 device.securityDetail.safetyNet == 'Failure'
securityDetail.playIntegrity
  • Success: Normal
  • Failure: Violated
  • None: Unchecked
 device.securityDetail.playIntegrity == 'Failure'
securityDetail.appIsRooting
  • Managed: Normal
  • Unmanaged: Violated
  • null: Unchecked
 device.securityDetail.appIsRooting == 'N'
securityDetail.keepaliveUnmanaged
  • Managed: Normal
  • Unmanaged: Violated
  • null: Unchecked
 device.securityDetail.keepaliveUnmanaged == 'Managed'

Network

Property Allowed values Usage
network.deviceWifiStatus Enabled, Disabled, Unknown, or null device.network.deviceWifiStatus == 'Enabled'
network.wifiStatus Connected, Disconnected, or null device.network.wifiStatus == 'Connected'
network.wifiIpAddress Any string value or null device.network.wifiStatus == 'Connected'
network.cellularIpAddress Any string value or null device.network.cellularIpAddress == '24.123.133.22'
network.ssid Any string value or null device.network.ssid == 'knoxcloud'
network.bssid Any string value or null device.network.bssid == '90:9f:33:a5:39:aa'
network.simStatus Absent, Ready or null device.network.simStatus == 'Ready'
network.subscriberMcc Any string value or null Utils.isBlank(device.network.subscriberMcc)
network.currentMcc Any string value or null Utils.isBlank(device.network.currentMcc)
network.isRoaming
  • NotRoaming: OFF
  • Roaming: ON
  • null: Unchecked
 device.network.simStatus == 'Roaming'
network.fivegNetworkSlicing
  • Allow: Enabled
  • AllowPerApp: Enabled
  • Disallow: Disabled
  • null: Unchecked
 Utils.arraysIn(device.network.fivegNetworkSlicing, ['Allow','AllowPerApp'])

Is this page helpful?