Android Enterprise policies

Allows using the camera.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Work Profile — Android 6 and higher

Allows screen captures.

Android 5+

Allows setting if and how over-the-air (OTA) updates are applied to devices. Choose one of the following setting option:

• Automatic — Automatically apply updates as soon as they become available.
• Postpone — Postpone OTA updates for up to 30 days.
• Windowed — Schedule OTA updates to occur at a specific time within a daily maintenance window. Use 24 hour format for time—[00:00-23:59]

Fully Managed — Samsung Knox 2.0 and higher

Android 5 and higher

Allows setting the number of background processes.

If this policy is disabled, the default number of background processes will be set at the maximum number.

Enables closing all running applications when the user signs out of the device.

If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.

Allows modification—addition or deletion—of the accounts added for each application.

• Disallow — This policy restricts the addition or deletion of users even if the Add or Delete User policies are allowed.

Specifies whether to define an allowlist or blocklist of app and service accounts that the device user can manage. When set, the Account List policy becomes either a blocklist or an allowlist.

Only available if the Account Modification policy is set to Allow.

Values

• Allowlist Setting — The account list is an allowlist.
• Blocklist Setting — The account list is a blocklist.

Specify the list of app and service accounts that the device user is allowed or blocked from managing. Accounts are specified as interfaces of Android package names, such as com.google.android.gm.pop3 for the POP3 account of the Gmail app. Managed Google Play accounts can't be modified, so adding them to this list when in allowlist mode has no effect. Only available if the Account Modification policy is set to Allow and the Account Block/Allowlist policy is set.

Values

To add an account, enter it and click . To remove one, click .

Here are the account names of common apps:

Fully Managed — Android 6 and higher

Work Profile — Android 7 and higher

Allows both the device user and apps to change the wallpaper.

Values

• Allow (default) — The wallpaper can be changed.
• Disallow — The wallpaper can't be changed.

Applies a custom wallpaper on the device.

Values

• Apply to the home and lock screen respectively — Sets different wallpapers for the home and lock screens of the device.

  On Samsung devices running Android 10 or lower, the wallpaper gets applied to both the home and lock screens if you set this value to apply it to only the home screen.

• Apply to the home and lock screen — Sets a wallpaper for both the home and lock screens of the device.

If this value is unset, no custom wallpaper is applied.

Specifies the custom wallpaper to apply to home and lock screens. Only available if the Custom Wallpaper policy is set to Apply to the home and lock screen respectively.

Values

To add custom images, click .

The image file can be in BMP, GIF, ICO, JPG, JPEG, or PNG format and can't exceed 10 MB in size.

Specify the orientation of the wallpaper.

Values

• Portrait
• Landscape

Specifies the custom wallpaper to apply to home and lock screens. Only available if the Custom Wallpaper policy is set to Apply to the home and lock screen respectively.

Values

To add custom images, click .

The image file can be in BMP, GIF, ICO, JPG, JPEG, or PNG format and can't exceed 10 MB in size.

Specify the orientation of the wallpaper.

Values

• Portrait
• Landscape

Specifies the custom wallpaper to apply to home and lock screens. Only available if the Custom Wallpaper policy is set to Apply to the home and lock screen.

Values

To add custom images, click .

The image file can be in BMP, GIF, ICO, JPG, JPEG, or PNG format and can't exceed 10 MB in size.

Specify the orientation of the wallpaper.

Values

• Portrait
• Landscape

Specify whether to display notification windows or dialogs, such as toasts, alerts and overlays, on the device.

Values

• Allow
• Disallow

Select a measure to take when a compromised OS is detected.

• Lock device — Locks the device.
• Lock Email — Locks email use.
• Factory reset + Initialize SD card — Simultaneously factory resets the user device and the SD card.
• Factory reset — Resets the user device but not the SD card.

Set the device to display a notification when a device control event is applied.

User defined — Users can set event notifications on the device from the Settings menu of the Knox Manage agent.

Show notification — Displays the notification when an event for device control is applied.

Hide notifications — Hides the notification when an event for device control is applied.

Set the device to display a notification when an event for device control is disengaged.

• User Defined — Users can set event notifications on the device from the Settings menu of the Knox Manage agent.
• Show notification — Displays a notification when an event for device control is disengaged.
• Hide notifications — Hides a notification when an event for device control is disengaged.

Set the removal of notifications from the device Quick panel.

User Defined — Users can remove notification on the device from the settings menu of Knox Manage agent.

Disallow to Remove Notification — Users cannot remove notifications on the device Quick Panel.

Allow to Remove Notification — Users can remove notifications on the device Quick Panel.

Check the check box to select the storage to be encrypted.

Allows the device user to change the date and time settings.

Values

• Allow
• Disallow
• Enforce Time Zone. Set the time zone on the devices. Device users can't change the set date and time.

Allows users to change the Location settings.

• Disallow — Users cannot change the on/off setting of the device location.

Allows backup of the device data.

Enables a custom message to display when the device user taps or tries to use a disabled setting.

This policy has two sub-policies, one for a short message to display in most screens of the Settings app, and the other for a longer message to display in the device administrators screen of the Settings app.

Enables a custom message on the device's lock screen. You can add lookup items to the message, which substitute for device and user information like username and phone number in the Android environment.

If the message contains only whitespace characters, then no lock message displays, and the user can't change it.

If this value is unset, the message only contains the user information, if it's available.

Allows the network usage rest function on a set date.

Allow using Wi-Fi. If the Wi-Fi policy was not applied successfully, the device tries to apply it again 30 minutes after Knox Manage is activated.

• Allow — Allows using Wi-Fi
• Force On — Disallows turning Wi-Fi on. It is turned off at all times.
• Force Off — Disallows turning Wi-Fi off. It is turned on at all times.

Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.

Allows device users to control Bluetooth.

• Allow — Allows users to turn Bluetooth on.
• Force off — Disallows turning Bluetooth on.

Allows data exchanges with other devices using Bluetooth connection.

Allows writing to an external SD card.

Allows checks to validate the integrity of the device.

The Play Integrity API replaces the SafetyNet Attestation API, which is being deprecated in June 2024. The Play Integrity API improves the detection of device-side accounts as well as Google Play app and user accounts.

We recommend that you upgrade to the latest Knox Manage agent and migrate to the Play Integrity API. For more information, see Migrating from the SafetyNet Attestation API in the Android Developer documentation.

Select a measure.

• Admin Alert — Sends an alert to the administrator.
• Unenrollment (Factory Reset) (for DO only)—Unenrolls the device and performs a factory reset.
• Unenrollment (for PO only)—Unenrolls the device.

Select a measure.

• Admin Alert — Sends an alert to the administrator.
• Lock device (for DO only)—Locks the device.
• Unenrollment (Factory Reset) (for DO only)—Unenrolls the device and performs a factory reset.
• Unenrollment (for PO only)—Unenrolls the device.

Enable multifactor authentication (2FA) that unlocks a device only after two authentication methods are provided, including one biometric input—face, iris, or fingerprint—and one lock screen method, such as PIN, password, or pattern.

Set the device's lock screen type and minimum quality. Use of the camera is prohibited when the device is locked.

You can set up to two lock screen policy sets:

• Device Controls — The lock screen settings for the personal area of the device.
• Work Profile Controls — The lock screen settings for a device's Work Profile. After the Work Profile is set up, the device user is directed to set a lock screen.

Set the minimum lock screen complexity.

There are four complexity levels, each pre-defined by the Android API. The device user must use a lock screen that meets or exceeds the minimum level.

Set the minimum complexity level of the lock screen:

• N/A — No restrictions on the lock screen.
• Low — A pattern or PIN, with repeating (4444) and ordered (1234, 4321, 2468) sequences allowed.
• Medium — A PIN without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 4 or more characters.
• High — A PIN with 8 or more characters, without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 6 or more characters.

Fully Managed — Android 12.0+

Work Profile — Android 12.0+

Personal area — Android 12.0+

Set a minimum strength level for the lock screen:

• Weak Biometric — A biometric recognition method.
• Pattern — A pattern.
• Numeric — A PIN.
• Numeric Complex — A pin with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
• Alphabetic — A password with letter characters.
• Alphanumeric — A password with alphanumeric characters.
• Complex — A password with alphanumeric and special characters.

Fully Managed — Android 6 to 11

Work Profile — Android 6 to 11

Personal area — Android 7 to 11

Set the minimum length of the password.

The value can be between 4–16 characters for Numeric or Alphanumeric strength levels.

The value can be between 6–16 characters for the Complex strength level.

Set the minimum number of letter characters in the password.

The value can be between 1–10 characters.

Set the minimum number of numeric and special characters required in the password.

The value can be between 1–10 characters.

Set the minimum number of lowercase letter characters required in the password.

The value can be between 1–10 characters.

Set the minimum number of uppercase letter characters required in the password.

The value can be between 1–10 characters.

Set the minimum number of numeric characters allowed in the password.

The value can be between 1–10 characters.

Set the minimum number of special characters required in the password.

The value can be between 1–10 characters.

Set the longest string of sequential numbers (1234, 4321, 2468) allowed in the password.

The value can be between 1–10 characters.

Set the longest string of sequential characters (abcd, dcba, aceg) allowed in the password.

The value can be between 1–10 characters.

Fully Managed — Android 6+

Work Profile — Android 6+

Personal area — Android 7+

Set the number of days before the password must be reset.

The value can be between 1–365 days.

Set the number of days before password expiry when the notification must be sent out for fully managed devices.

The value can be 1, 3, 5, or 7 days.

Set the number of days before password expiry when the notification must be sent out for work profile devices.

The value can be 1, 3, 5, or 7 days.

Set the maximum number of incorrect password attempts before access is restricted.

You can set this only with Numeric, Alphanumeric, or Complex password strength.

The value can be between 0–10 times.

Choose an action to perform on a Fully Managed device when the maximum number of failed unlock attempts is reached:

• Lock device — Locks the device.
• Factory reset + Initialize SD Card — Factory resets the device and the SD card.
• Factory reset — Factory resets the device.

Select an action to perform when the maximum number of failed unlock attempts is reached:

• Factory Reset or Remove Work Profile — If the device is company-owned, it factory resets. If the device is personally-owned, the Work Profile is removed.

Work Profile — Android 6 and higher

Company-owned — Android 7 and higher

Set the minimum number of new passwords that must be used before a user can reuse a previous password.

For example, if the password is Knox123! and the Password History (times) is 10, the user must use ten other passwords before they can reuse Knox123!.

The value can be between 1–10 times.

Choose an action to perform when a password does not comply with requirements:

• Personal area:

  • Lock Device — The device is locked (Fully Managed devices only).
  • No Action — No action is taken.

• Work Profile:

  • Suspend Work Apps — Apps in the Work Profile are suspended.
  • Suspend Work and Personal Apps — All apps are suspended (corporate owned with Work Profile devices only).
  • No Action — No action is taken.

Choose which features and functionality to block when the screen is locked.

Fully Managed devices:

• Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added.
• Fingerprint — Blocks screen unlock through fingerprint scanning.
• Iris — Blocks screen unlock through iris scanning.
• Face — Blocks screen unlock through face scanning.
• Camera — Blocks camera control.
• Previews in Pop-ups (Fully Managed, Fully Managed With Work Profile) — Hides content in app notifications on the lock screen.
• Notification (Fully Managed, Fully Managed With Work Profile, Work Profile on Company-Owned) — Hides all app notifications on the lock screen.

Devices with a Work Profile:

• Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added.
• Previews in pop-ups — Hides content in app notifications on the lock screen.
• Fingerprint — Blocks screen unlock through fingerprint scanning.
• Face — Blocks screen unlock through face scanning.

Fully Managed — Android 5+

Work Profile — Android 7+

Personal area — Android 7+

Set the maximum time limit that a user can linger before screen timeout.

Timeout settings apply based on the Use one lock setting on the work profile of a device:

• If Use one lock is enabled and two different values are set for Device Controls and Work Profile Controls, the smaller value applies.
• If Use one lock is enabled on personal profile of a personal device, set the maximum time under Device Controls.
• If Use one lock is disabled on a work profile of a company-owned device, the maximum time under Work Profile Controls applies.

To set Use one lock on a device, go to Settings > Work profile settings.

Fully Managed — Android 6 and higher, Samsung Knox 2.0 and higher

Work Profile — Android 12 and higher

Personal area — Android 12 and higher

Enable this feature to set the device screen on when charging using any of the following options:

Select the option to apply the policy:

• AC Charger
• USB Charger
• Wireless Charger

Multiple selection is possible.

Select a Kiosk feature to use on a device.

Single App Mode — Runs a single application on the device's home screen.

Multi App Mode — Runs multiple applications that are developed using the Kiosk Wizard.

Web Mode — Opens webpages that are specified by the administrator.

Fully Managed — Samsung Knox 1.0 and higher

Non-Samsung Fully Managed — Android 9 and higher

Click Add to select Kiosk applications from the Select Application dialog or click New to create a Kiosk App.

Set the home page of the Kiosk Browser.

Values

Enter a URL.

Click Lookup to browse and select available lookup items to include in the URL.

Specify whether to hide the info icon on the Kiosk screen.

Values

• Allow
• Disallow

Hiding the icon restricts the kiosk users from viewing the open source license notice and using the exit kiosk code on the device. In this case, to exit from the kiosk mode, you must send a device command.

Specify the maximum number of times device users can unsuccessfully enter exit code on the kiosk.

Specify when the device user can again try exiting from the kiosk after they've crossed the maximum number of specified attempts.

Values

• Prevent re-entering code for 10 mins
• Prevent re-entering code for 30 mins

Use the screen saver for Single App and Multiple App kiosks and the Kiosk Browser. When no user activity is sensed for a certain amount of time set in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files are activated on the device display.

Select image files for the screen saver. You can add up to 10 image files in the PNG, JPG, JPEG, or GIF format (animated files are not supported). Each image file must be less than 5 MB.

• To upload an image file, click Add and select a file.
• To delete an image file, click next to the name of the uploaded image file.

Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB.

• To upload a video file, click Add and select a file.
• To delete a video file, click next to the name of the uploaded video file.

Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL:

• Apply — Enables the session timeout feature for the browser.

Set the session timeout in seconds for the Kiosk Browser.

The value can be between 10 - 3600 secs (default is 1800).

Allows the user to upload files to websites through the Kiosk Browser.

Disallow is the default value.

Fully Managed — Samsung Knox 1.0

Non-Samsung Fully Managed — Android 9

Select hardware keys to disable. The availability of Hardware keys can vary by device

If you do not allow the use of the Task Manager, then it does not run, even if the user taps the left menu key in the Navigation bar at the bottom of the device.

Allows the use of the system status bar, which displays the time, network connectivity, and battery status.

Allows access to the notification bar. If this policy is set to Allow, the Home policy is allowed automatically.

Fully Managed — Android 6 and higher

Work Profile — Android 6 and higher

Allows application control from the settings application.

The following actions can be configured:

• Delete / Execute / Prevention / CACHE Removal / Data Removal / Focused Exit / Default App Removal.

Fully Managed — Android 6 and higher

Work Profile — Android 6 and higher

Fully Managed — Android 6 and higher

Work Profile — Android 6 and higher

Fully Managed — Android 6 and higher

Work Profile — Android 5 - 7.1

Allows application runtime permission settings for all areas.

• Prompt — Prompts users to grant or deny permissions.
• Grant — Grants all relevant permissions.
• Deny — Denies all relevant permissions.

Add individual application. Set different permission policies for each application.

• To add an application, click Add, and then select applications in the Select Application window.
• To delete an application, click next to the added application.

Add applications to prevent their execution. Icon of the blocked application disappears and users cannot run the application.

• To add an application, click Add, and then select applications in the Select Application window.
• To delete an application, click next to the added application.

Add the apps to be hidden on the devices.

• To add an app, click Add, and then select applications in the Select Application window.
• To delete an app, click next to the added app.

Add applications to prevent their uninstallation.

• To add an application, click Add, and then select applications in the Select Application window.
• To delete an application, click next to the added application.

Set to activate hidden system applications for Android Enterprise devices to view. If a device is activated with Android Enterprise, only designated applications appear on the device.

Add system applications to be activated.

• To add an application, click Add, and then select applications in the Select Application window.
• To delete an application, click next to the added application.

Enables delegated scopes for apps, which is a device policy controller function that grants elevated API and policy control to an app. An app with delegated scopes can dictate policies and configuration settings to other apps.

Values

• Allow — Enables delegation scopes.

If this value is unset, then delegation scopes are disabled.

Configures delegated scopes for apps. Each configuration targets an app with a profile in the Knox Manage tenant and assigns scopes to it. You can only manage one delegation configuration per app. Only available if the App Delegation Scope Management policy is set to Apply.

Values

To assign delegated scopes to an app:

1. Click Select, then choose an app from the list in the Select Application window.
2. Select scopes to assign to the app from the Delegation Scopes list.
3. Click to add the configuration.

For a complete list of compatible scopes, see Supported delegation scopes.

To remove the delegated scopes for an app:

• Click next to the configuration.

Specifies a blocklist of apps that can't use mobile data. Only available if the App Prevented from Using Mobile Data Setting policy is set to Apply.

Values

To add apps, click Add, then search for and select one or more apps.

To remove an app, click .

Allows the use of an external SD card. The external SD card cannot be used by default.

Supported devices: (SDK or API):

• Samsung (Knox 2.2 and higher)

Add applications that can use an external SD card.

• To add an application, click Add, and then select applications in the Select Application window.
• To delete an application, click next to the added application.

Configure allowlist and blocklist policies to restrict the use of personal Google Play accounts and installation of personal apps on devices.

Supported devices: (SDK or API):

• Android 11.0 and higher

• Single app — In the App Download Block/Allowlist Setting list > select App Download Blocklist > click Add > click to select the check box for the appropriate app, and then click OK.
• All apps — In the App Download Block/Allowlist Setting list, select App Download Blocklist > click Add all.

• In the App Download Block/Allowlist Setting list > select App Download Allowlist > click Add > click to select the check box for the appropriate app, and then click Add.

Fully Managed — Android 9 and higher

Fully Managed with Work Profile — Android 9 and higher

Fully Managed — Android 9 and higher

Fully Managed with Work Profile — Android 9 and higher

Fully Managed — Android 10 and higher

Work Profile — Android 12 and higher

Fully Managed — Android 12 and higher

Work Profile on company-owned — Android 12 and higher

Specify whether device users can configure location settings.

Values

• Allow user to configure — Allows the device users to enable or disable location settings on their devices.
• Force on — Enables the location settings on devices running Android 9 or higher. This option is available only for device controls.
• Force off — Disables the location settings on devices.
• Allow user to configure and prompt for location accuracy — Allows devices users to enable or disable location settings, and displays prompt to approve collection of GPS location data.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Work Profile — Android 6 and higher

Allows collecting location data from user device.

Values

• Automatic — Device users are notified and must agree to data collection on the device. You can set time interval for data collection
• Upon user consent — Allows location data collection only with the user's consent.
  On devices with a work profile, a non-dismissible notification is displayed requiring user consent before collecting location data. You can set time interval for data collection.

Set an interval period to save the location data of the device.

Allows the use of emergency broadcast settings.

The carrier can send a same message, such as an emergency alert, to the devices connected to the same cellular base station.

Fully Managed — Android 6 and higher, Samsung Knox 1.0 and higher

Work Profile — Samsung Knox 1.0 and higher

Allows the use of voice calls.

Allows sharing contacts from the Profile Owner to the connected device using Bluetooth.

Allows IT admins to set a custom message to warn the user when the data on the Work profile is being wiped.

Values

• Apply — Use the Message pane to specify the notification message to show on the device

Allows IT admins to specify a time period for which the device users are allowed to turn off Work profiles on their WP-C devices. The following two options are available:

• Days (between 3 to 30 days)
• Hours (between 72 and 720 hours)

Users of WP-C devices are allowed to turn off the Work profile on their devices. If the device user does not restart the Work profile, all Personal apps—outside of emergency calls and a few other important apps—are suspended. The device users see a notification on their device alerting them as to the reason for suspension of personal apps.

Enables factory reset protection. When this security measure is enabled, if the device undergoes a factory reset it can't be reactivated without the previous user's Google Account.

Values

• Allow — Enables factory reset protection for all devices that use this profile.
• Disallow (default) — Disables factory reset protection.

To enable factory reset protection:

1. Set the value to Allow.

2. For the the Google Account ID field, enter the email address of Google Account that will protect the devices that use this profile. This account must be appropriate for use by support providers.

   As this account email and password might be shared with support providers, do not use your Google Account associated with Android Enterprise.

3. Click Go to Google API Webpage to generate user ID. The people.get operation page from Google's People API reference opens.
4. If you haven't already, sign in to the Google Account you specified earlier.

5. In the Try this method dialog, enter:

   • resourceName field — people/me
   • personalFields field — metadata

6. Click EXECUTE.

   • You might be prompted to grant permission for the Google APIs Explorer to access the Google Account. If so, click Allow to grant all access.

   A 200 OK message shows, which contains the account's detailed information as JSON values.

7. Copy the value of the ID field in the message.
8. Back on the Knox Manage console, paste the copied ID value in the Google User ID field.
9. Click .

Enables the Knox Browser app.

Values

• Use — Enables the Knox Browser app on the device.

If this value is unset, then the Knox Browser app can't be installed on the device.

Sets the home page of the Knox Browser app. If set, the user can't change the home page. This is a required value for deploying the Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

Enter a URL.

Click Lookup to browse and select available lookup items to include in the URL.

Determines whether the Knox Browser app automatically updates. If enabled, the browser also updates when the profile is pushed to the device. Only available if the Knox Browser App policy is set to Use.

Values

• Use — Enables automatic Knox Browser updates.
• Do Not Use — Disables automatic Knox Browser updates.

Hides the address bar. Only available if the Knox Browser App policy is set to Use.

Values

• Use — Hides the address bar. Prevents access to websites other than the default Homepage URL, and blocks file downloads.
• Do Not Use (default) — Displays the URL address bar.

Configure whether to restrict access to URLs. The restriction list is defined by the URL Control List policy. Only available if the Knox Browser App policy is set to Use.

• Allowlist — Knox Browser uses an allowlist to restrict access to specified sites.
• Blocklist — Knox Browser uses a blocklist to restrict access to specified sites.

If this value is unset, then URLs aren't restricted.

Enter the URLs to allow or block, as determined by the URL Control Type policy. Only available if the Knox Browser App policy is set to Use and the URL Control Type is set to Allowlist or Blocklist.

Values

To add a URL, enter it and click . To remove one, click .

The wildcard (*) token is supported in the sub-domain and path. For example:

• https://*.example.com
• https://corp.example.com/*

Enables URLs with web intents, which, when opened, can download and launch apps on Android. Only available if the Knox Browser App policy is set to Use. Knox Browser supports intent schemes like the following:

• intent://... — Launches the app package specified in the URL scheme.
• market://... — Downloads the specified app package from Google Play Store.

Values

• Allow (default)
• Disallow

Allows web pages viewed on Knox Browser to store cookies on the device. Only available if the Knox Browser App policy is set to Use.

Values

• Allow (default)
• Disallow

Enables file downloads on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

• Allow (default)
• Disallow — Blocks downloads. If you set the Hide URL policy to Use, file downloads are blocked automatically.

Allows the device user to upload files to web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

• Allow (default)
• Disallow

Allows the device user to copy text from web pages viewed on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

• Allow (default)
• Disallow

Allows the device user to take screenshots of web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

• Allow (default)
• Disallow

Defines a collection of bookmarks to push to Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

To add a bookmark, enter a name for it and its URL, then click . To remove a bookmark, click .

Forces changing the text size on web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

• Use — Adjusts the text size to the scale set by the Text Scaling > Ratio policy.
• Do not use — The text size defaults to 100%, and the user can't change it.

If this value is unset, then the text size defaults to 100%, and the device user can change it.

Specifies the scale of the text size on Knox Browser. Only available if the Knox Browser App and Text Scaling policies are set to Use.

Values

To set the scale, adjust the slider. The slider has a range of 50–200% and moves in 5% increments.

Forces changing the zoom level of web pages on Knox Browser. Only available if the Knox Browser App policy is set to Use.

Values

• Use — Adjusts the zoom level to the scale set by the Force Enable Zoom > Ratio policy.
• Do not use — The zoom level defaults to 100%, and the user can't change it.

Specifies the zoom level of web pages on Knox Browser. Only available if the Knox Browser App and Text Scaling policies are set to Use.

Values

To set the scale, adjust the slider. The slider has a range of 100–200% and moves in 10% increments.

Enter an identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Controls whether the device automatically connects to this network.

Values

• Use — Forces the device to set this network as default and connect to it when Wi-Fi is turned on.
• Do Not Use — This network configuration is pushed to the device, but the device user chooses which networks to connect to.

Configure the following items:

• EAP Method — Select an authentication protocol from between PEAP and TTLS.
• 2-step authentication — Select one from PAP, MSCHAP, and MSCHAPV2 as a secondary authentication method.
• User information input method — Select an input method for entering user information.

1. Manual Input — Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
2. Connector interworking — Choose a connector from the User information Connector.
3. User Information — Use the user information registered in Knox Manage to access Wi-Fi.

• ID — Assign an external ID for Manual Input.
• User certificate input method — Select a user certificate confirmation method.

1. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

2. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.

   When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

3. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see External certificates.

Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root are included on the list.

This setting is required.

Specify to skip additional setup requirements of CA Certificate and Domain or Alternate Subject.

Values

• Use
• Do Not Use

Enter the domain addresses that can be accessed via Wi-Fi.

Enter the alternate subject names.

Configure the proxy server manually.

• Proxy host name — Enter the host name of the IP address of the proxy server
• Proxy port — Enter the port number used by the proxy server
• Proxy exception — Enter the IP address or domain address that cannot be accessed through the proxy server. If server authentication is required to use the proxy server, check the Server authentication check box.
• User name — Enter the username for the proxy server.
• Password — Enter the password for the proxy server.

Configure the proxy server automatically.

You should enter the PAC web address, the URL of the PAC file that automatically determines which proxy server to use.

Enter the user ID for the VPN connection.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Specifies a location to install the bookmark.

• Shortcut — Creates a shortcut of the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher.

  1. Android Enterprise devices only support the shortcut type.
  2. Shortcut icons may not be able to be created depending on the type of launcher set by the user.
  3. An administrator cannot delete the shortcut icon, but the user can delete it manually.

Specifies the name of the APN configuration. Each configuration name must be unique.

Values

Enter a name.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the description of the APN configuration.

Values

Enter a description.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Toggles whether the device user can delete the APN.

Values

• Allow (default)
• Disallow

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the name of the APN, which is comprised of the network identifier and optional operator identifier.

Values

Enter a name.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies which connection services to allow for this APN.

Values

• Default — Allows all services. Also known as unspecified.
• MMS — Allows only the Multimedia Messaging Service (MMS).
• Supl — Allows only the Secure User Plane Location (SUPL) service, which is an IP-based protocol that uses GPS for device geolocation.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the MCC of the APN.

Values

Enter a 3-digit MCC.

Click Lookup to browse and select available lookup items to include in the MCC.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the carrier's MNC for the APN.

Values

Enter a 2- or 3-digit MNC.

Click Lookup to browse and select available lookup items to include in the MNC.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the address of the carrier's MMS server.

Values

Enter a URL.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the address of the carrier's MMS proxy server.

Values

Enter an IP or domain.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the port of the carrier's MMS proxy server.

Values

Enter a port.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the address of the carrier's WAN proxy server.

Values

Enter a URL.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the port of the carrier's WAN proxy server.

Values

Enter a port.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the account username to use when connecting to the APN.

Values

Enter a username. By default, the field contains the ${UserName} lookup item, which substitutes for the username associated with the device in Knox Manage.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the account password to use when connecting to the APN.

Values

Enter a password.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the protocol to use when authenticating with the APN.

Values

• None — Disables authentication.
• PAP — Uses the Password Authentication Protocol (PAP), which requires a username and password.
• CHAP — Uses the Challenge-Handshake Authentication Protocol (CHAP), which implements challenge messages to validate identities.
• PAP or CHAP — Uses either the PAP or CHAP method, depending on which is available.

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the communications protocol to use when connecting to the APN.

Values

• IPV4
• IPV6
• IPV4/IPV6
• PPP

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the communications protocol to use when connecting to the APN while the device is roaming.

Values

• IPV4
• IPV6
• IPV4/IPV6
• PPP

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies the type of identifier used by the APN's mobile virtual network operator (MVNO).

Values

• SPN
• IMSI
• GID
• ICCID

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Specifies which bearer types can be used when connecting with the APN. Only available if the Bearer policy is set to Apply.

Values

• LTE
• HSPAP
• HSPA
• HSUPA
• HSDPA
• UMTS
• EDGE
• GPRS
• eHRPD
• NR
• EVDO_B
• EVDO_A
• EVDO_0
• 1xRTT
• CDMA
• TD_SCDMA
• IDEN
• GSM
• IWLAN

Fully Managed — Android 9 and higher

Samsung device — Android 9 and higher

Select an input method for entering certificate information.

• EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

• Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.
• When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
• Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.

  Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see External certificates.

Select a certification category when EMM Management Certificate is selected in User certificate input method,

• CA certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root show on the list.
• User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User show on the list.