Back to top

Android Legacy policies

Last updated June 26th, 2024

With 23.03, Knox Manage no longer supports the Android Legacy (also known as Device Admin ) platform. The Knox Manage team strongly recommends that you migrate to the Android Enterprise platform.

This section describes the policies you can configure for Android Legacy devices.

The availability of each policy varies depending on the OS version.

System

Provides backup and restore settings, developer options, and other features. Updates the operating system on a device.

Policy Description Supported system
Factory reset

Allows a device factory reset.

  • Disallow — Factory reset using the hardware button is prevented. However, factory reset using the firmware update utility cannot be prevented.
Samsung Knox 1.0 and higher
Power off

Allows you to shut down and power off the device.

  • Disallow — The power off option menu does not appear even with the use of a power button. However, powering off by separating the battery cannot be prevented. Factory reset is prohibited if this policy is disallowed.
Samsung Knox 1.0 and higher
Backup

Allows backup of the device data.

If you can find the backup function on your device at Google > Backup, it may seem as if you can turn the backup setting on or off, even if this policy is set to Disallow. However, note that when the Backup policy is set to Disallow, the device's backup functionality is limited regardless of the UI shown on the device.

Samsung Knox 1.0 and higher
OTA upgrade Allows an OTA upgrade for the device. Samsung Knox 1.0 and higher
Settings Allows the configuration of the System Settings. Samsung Knox 1.0 and higher
System app close Allows force closing system applications. Samsung Knox 1.0 and higher
App crash report to Google Allows reporting the application error occurrence information to Google. Samsung Knox 1.0 and higher
Multiple users Allows multiple users. Samsung Knox 1.0 and higher
Expand status bar Allows the expansion of the status bar. Samsung Knox 1.0 and higher
Wallpaper Change Allows changing the home and the lock screens. Samsung Knox 1.0 and higher
Automatic Date and Time Allows changing the date and time. Samsung Knox 1.0 and higher
Camera

Allows using the camera.

If the camera in the general area is restricted, the camera in the Knox Workspace is also restricted.

Samsung Knox 1.0 and higher, Android 4 and higher
>Face recognition camera Allows use of the camera for face unlock even when the camera is disabled in the Camera policy. This policy is available when Camera is set to Disallow all. Samsung Knox 3.2.1 and higher
Screen capture Allows use of the default screen capture function. Samsung Knox 1.0 and higher
Clipboard

Allows the clipboard feature throughout the

entire system.

  • Allow within the same app — Allows using the clipboard feature only within the same application.
Samsung Knox 1.0 and higher
Share via apps Allows the share app function. Samsung Knox 1.0 and higher
S Beam Allows using Android Beam which transfers data using NFC. Samsung Knox 1.0 and higher
Encryption for storage Specifies the encryption of the device's system storage or the external SD card. Samsung Knox 1.0 and higher, Android 1 and higher
> Storage encryption

Check the check box to select the storage to be encrypted.

External SD card encryption is applicable to Samsung Galaxy devices only.

External SD Card Allows using the external SD card. Samsung Knox 1.0 and higher
> Write to external SD card

Allows writing to an external SD card.

If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.

Samsung Knox 1.0 and higher
Unauthorized SD Card Allows using unauthorized SD cards. Android 1 (SDK1 and higher)
If compromised OS is detected

Select the control function to be triggered if device OS tampering is detected.

  • Lock device — Locks the device.

Android 10 and higher devices are not supported.

  • Factory reset + Initialize SD card — Simultaneously factory resets the user device and the SD card.
  • Factory reset (only) — Resets the user device but not the SD card.

The factory reset (only) function is unsupported in Android 2 and lower. To reset the device, select the Factory reset + Initialized SD card option.

Samsung Knox 1.0 and higher
Smart Select Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else. Samsung Knox 2.2 and higher
Device Administrators to install and activate apps

Specifies to run or install EMM applications other than the Knox Manage application.

  • Allow — Allows installing or enabling EMM applications.
  • Disallow installation — Disallows installing EMM applications.
  • Disallow activation — Disallows enabling EMM applications.

You cannot control this policy if another EMM application is active before the policy was set.

Samsung Knox 2.0 and higher
> Exceptional app allowlist

Allows installing or activating select EMM applications by adding them to the allowlist. This policy is available only when the Device Administrator to Install and Activate apps policy is set to Disallow installation or Disallow activation.

  • To add an application, click Add, and then select applications in the Select Application window.
  • To delete an application, click delete next to the added application.
  • Disallow installation — Only the allowed applications can be installed.
  • Disallow activation — Only the allowed applications can be activated.
Samsung Knox 2.0 and higher
Developer mode Allows using the developer mode. Samsung Knox 2.0 and higher
> Background process limitation

Allows setting the default number of background processes.

If this policy is disabled, the number of background processes is set to the maximum number.

Samsung Knox 1.0 and higher
> Quit application upon killing activities

Enables closing all running applications when the user signs out of the device.

If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.

Samsung Knox 1.0 and higher
> Mock location

Allows using the mock location, which specifies an arbitrary location for development or test purposes.

Use this policy if location information from the Update Device Information of the Send Device Command seems incorrect.

Samsung Knox 1.0 and higher
Safe mode Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications. Samsung Knox 1.0 and higher
Reboot banner Allows using the reboot banner which appears on the user's device when the device reboots. Samsung Knox 1.0 and higher
> Reboot banners stationery

Enter the text for the reboot manager. You can enter up to 1000 bytes.

You can customize banners for Samsung Knox 2.2 and higher devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed.

Samsung Knox 2.2 and higher
Domain Blocklist Settings Allows using the domain blocklist. Samsung Knox 1.0 and higher
> Domain Blocklist

Enter a domain blocklist that should not be used when registering an Exchange or email account.

  • To add a domain, enter the domain name in the field, and click Add.
  • To delete a domain, click delete next to the added domain name.
Network Time Protocol Settings Allows using the Network Time Protocol (NTP). Register this server to sync the server time to a device. Samsung Knox 2.5 and higher
> Server address Enter the NTP server address. Samsung Knox 2.5 and higher
> Maximum number of attempts

Set the maximum number of attempts for connecting to the NTP server to retrieve the time information.

The value can be between 1–100 times.

Samsung Knox 2.5 and higher
> Polling cycle (hr)

Set the cycle to reconnect to the server using NTP.

The value can be between 1–8760 hours (8760 = 1 year).

Samsung Knox 2.5 and higher
> Short polling cycle (sec)

Set the cycle to re-connect to the NTP server after experiencing a timeout.

The value can be between 1–1000 seconds.

Samsung Knox 2.5 and higher
> Timeout (sec)

Set the connection timeout on the NTP server.

The value can be between 1–1000 seconds.

Samsung Knox 2.5 and higher
Notifications when an Event is Set to On.

Sets the device to display notifications when a device control event is applied.

User Defined — Users can set event notifications on the device from the Settings menu of Knox Manage agent.

Show notification — Displays the notification when an event for device control is applied.

Hide notifications — Hides the notification when an event for device control is applied.

Samsung Knox 1.0 and higher, Android 1 and higher
Notifications when an Event is Set to Off.

Sets the device to display the notifications when an event for device control is disengaged.

  • User Defined — Users can set event notifications on the device from the Settings menu of Knox Manage agent.
  • Show notification — Displays a notification when an event for device control is disengaged.
  • Hide notifications — Hides a notification when an event for device control is disengaged.
Samsung Knox 1.0 and higher, Android 1 and higher
Fix Event Notification

Set the removal of the notification from the device Quick panel.

  • User Defined — Users can remove notification on the device from the settings menu of Knox Manage agent.
  • Disallow to Remove Notification — Users cannot remove notifications on the device Quick Panel.
  • Allow to Remove Notification — Users can remove notifications on the device Quick Panel.
Samsung Knox 1.0 and higher, Android 1 and higher
Power Saving Mode Control Allows power saving control on the device. Samsung Knox 2.8 and higher
Firmware download mode control

Allows using the hardware key on the device to update firmware.

  • Disallow — Disallows updating firmware with the hardware key and performing a factory reset.
Samsung Knox 2.0 and higher
Samsung Keyboard settings control Allows accessing the settings key from the Samsung keyboard. Samsung Knox 2.0 and higher
Data Saver Mode Allows the device to use the data saver mode automatically. Samsung Knox 3.0 and higher

Connectivity

Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.

Policy Description Supported system
Wi-Fi

Allows using Wi-Fi. If the Wi-Fi policy is not applied successfully, the device tries to apply it again 30 minutes later after Knox Manage is activated.

  • Allow — Allows using Wi-Fi.
  • Disable On — Disallows turning on Wi-Fi. It is turned off at all times.
  • Disable Off — Disallows turning off Wi-Fi. It is turned on at all times.
Samsung Knox 1.0 and higher, Android 1 and higher
> Wi-Fi Direct

Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.

  • Set the Wi-Fi policy to Allow or Disable Off before using this policy.
  • Depending on the device type, the direct connection of the two devices may cause the function or the menu to get controlled.

Samsung Knox 1.0 and higher
Wi-Fi hotspot Allows use of the Wi-Fi hotspot. Samsung Knox 1.0 and higher, Android 2.3 and higher
Wi-Fi SSID allowlist setting

Allows using the Wi-Fi SSID allowlist. Devices can only connect to the Wi-Fi APs on the allowlist.

For non-Samsung devices with Android 8 or a higher version, this policy can only be applied the device user agrees to grant access to location information.

Samsung Knox 1.0 and higher, Android 1 and higher
> Wi-Fi SSID allowlist

Add Wi-Fi APs to the allowlist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click delete.

Android 1 (SDK1) and higher

Samsung Knox 1.0 and higher

Wi-Fi SSID Blocklist Setting

Allows using the Wi-Fi SSID blocklist. Devices cannot connect to Wi-Fi APs on the blocklist.

For non-Samsung devices with Android 8 or a higher version, this policy can only be applied when the device user agrees to grant access to location information.

> Wi-Fi SSID Blocklist

Add Wi-Fi APs to the blocklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click delete.
Samsung Knox 1.0 and higher, Android 1 and higher
Wi-Fi auto connection Allows automatic connection to Wi-Fi SSID already stored in the device. Samsung Knox 1.0 and higher
Wi-Fi minimum security level setting

Set a minimum security level for Wi-Fi.

The security level increases in the following ascending order: OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA'

Samsung Knox 1.0 and higher
Wi-Fi Proxy Setting

Block a device's Wi-Fi proxy information from showing on the device. When this policy is set, device users cannot see the proxy menu under device settings > Wi-Fi.

Currently, this feature is only available for Galaxy Tab A (SM-T585) devices, running the latest firmware version.

  • N/A — No settings
  • Allow — Allow users to configure Wi-Fi proxy with the device
  • Disallow — Disallow users from configuring Wi-Fi proxy with the device.
Samsung Knox 3.0
Bluetooth

Allows using Bluetooth.

  • Allow — Allows using Bluetooth.
  • Disable On — Disallows turning on Bluetooth. It is turned off at all times.
  • Disable Off — Disallows turning off Bluetooth. It is turned on at all times.
Samsung Knox 1.0 and higher, Android 1 and higher
> Desktop PC connection Allows Desktop PC connections with the user's device using Bluetooth. Samsung Knox 1.0 and higher
> Data transfer Allows data exchanges with other devices using Bluetooth connection. Samsung Knox 1.0 and higher
> Search mode Allows device search using Bluetooth. Samsung Knox 1.0 and higher
> Bluetooth tethering Allows Bluetooth tethering to share the internet connection with another device. Samsung Knox 1.0 and higher, Android 4.2 and higher
Bluetooth UUID Block/Allowlist

Select a method to connect Bluetooth devices based on their Universal Unique Identifier (UUID).

  • Blocklist configuration — Set a device to block Bluetooth connections from certain devices.
  • Allowlist configuration — Set a device to allow Bluetooth connections to certain devices.
> Bluetooth UUID blocklist

Select devices to block Bluetooth connections with. Click the check boxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.

Samsung Knox 1.0 and higher
> Bluetooth UUID allowlist

Select devices to allow Bluetooth connections with. Click the check boxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

When updating the policy, the current Bluetooth connection gets disconnected. Users must reconnect.

Samsung Knox 1.0 and higher
NFC control

Allows NFC (Near Field Communication) control.

  • Samsung Knox 2.4 and higher is supported for Knox Workspace devices.
  • Android 10 and higher devices are not supported.
Samsung Knox 1.0 and higher
PC connection Allows connecting user's device to their computer. Samsung Knox 1.0 and higher, Android 1 and higher
USB tethering Allows USB tethering. Samsung Knox 1.0 and higher, Android 1 and higher
USB host storage (OTG)

Allows a device connection using OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse.

To use DeX when the USB host storage (OTG) policy is disallowed, enable DeX in the Set USB exception allowed list policy. Then configure the Allow DeX mode policy to Allow.

Samsung Knox 1.0 and higher
> Set usb exception allowed list Specify the use for the exception allowed list once the USB host storage (OTG) policy is disallowed. Samsung Knox 3.0 and higher
> USB exception allowed list Select the USB interface to use if the USB host storage (OTG) policy is disallowed. Samsung Knox 3.0 and higher
USB debugging Allows USB debugging. Samsung Knox 1.0 and higher
Microphone Allows use of the microphone. Samsung Knox 1.0 and higher, Android 1 and higher
> Recording Allows the use of microphone recording. Samsung Knox 1.0 and higher
> S Voice Allows the use of S Voice. Samsung Knox 1.0 and higher
GPS

Allows using GPS.

  • Allow — Allows using GPS.
  • Disable On — Disallows turning on GPS. It is turned off at all times.
  • Disable Off — Disallows turning off GPS. It is turned on at all times.

Consider the following:

  • To use this policy, the GPS type on the user device must be set as one of the three types: High accuracy, Sleep, or GPS.
  • Devices running Android 10 and higher are not supported.

Samsung Knox 1.0 and higher
Wearable equipment policy inheritance Set to use the existing Mobile policy for the Gear policy. Samsung Knox 2.6 and higher

Security

Configures the security settings, such as the password and lock screen.

Policy Description Supported system
Device Password

Set the password for the device screen lock. Use of the camera is prohibited when the device is screen locked.

Consider the following:

  • When a user has forgotten their screen lock password, an administrator needs to send the Reset screen password device command, and then the user needs to enter a temporary password. A temporary password is generated randomly according to the set Device Password policies. For more information, see the screen lock password in View details of a device.
  • For Knox Workspace devices with a One Lock password, the stronger password policy out of the Android Legacy and Knox Workspace policies is applied.

Secure Startup

Allow or disallow users from setting the Secure Startup feature on devices.

When Secure Startup is set and the user enters the wrong password 30 times, the device is factory reset even if you have restricted factory resets through a policy. To avoid this situation, set this policy to Disallow.

This condition is applicable to devices running an OS earlier than Android P.

Lock screen Set to allow or disallow the user to change Lock Screen setting. Samsung Knox 3.0 and higher
> Minimum strength

Set the minimum password strength on the screen.

The password strength increases in the following ascending order: Pattern < Numeric < Must be alphanumeric < Must include special characters.

  • Pattern — Set the password using a pattern or a password with a higher degree of complexity.
  • Numeric — Set the password using numbers or a password with a higher degree of complexity.
  • Alphanumeric — Set the password using alphanumeric characters or a password with a higher degree of complexity.
  • Complex — Set it so that the passwords must include alphanumeric and special characters.
Samsung Knox 2.0 and higher, Android 2.2 and higher
>> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before access is restricted.

The value can be between 1 - 10 times.

You can set this value only when type of password is set to Numeric, Alphanumeric, or Complex.

Samsung Knox 2.0 and higher, Android 2.2 and higher
>>> If maximum failed login attempts exceeded

Select the action to be performed when the maximum number of failed attempts is reached.

Knox Workspace devices support Samsung Knox 1.0 and higher.

  • Lock device — Locks the device.

Android 10 and higher devices are not supported.

  • Factory reset + Initialize SD card — Simultaneously resets the user device and the SD card.
  • Factory reset — Resets the user device but not the SD card.
Samsung Knox 2.0 and higher, Android 2.2 and higher
>> Minimum length

Set the minimum length of the password.

The value can be between 4 - 16 characters.

Minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.

Samsung Knox 2.0 and higher, Android 2.2 and higher
>> Expiration after (days)

Set the maximum number of days before the password must be reset.

The value can be between 0 - 365 days.

Samsung Knox 2.0 and higher is supported for Knox Workspace devices.

Samsung Knox 1.0 and higher, Android 3 and higher
>> Manage password history (times)

Set the minimum number of new passwords that the user must use before they can reuse the previous password.

The value can be between 0 - 10 times.

If the password is Knox123! and the minimum value is set to 10, the user must use ten other passwords before reusing Knox123! as password.

Samsung Knox 1.0 and higher, Android 3 and higher
>> Screen Lock Timeout (min)

Set the duration for locking the device when the user has not set up a password for the screen lock.

The value can be between 0 - 60 minutes.

Samsung Knox 1.0 and higher
>> Maximum length of sequential numbers

Set the maximum number of consecutive numeric characters allowed in a password.

The value can be between 1 - 10 words.

Samsung Knox 1.0 and higher
>> Maximum length of sequential characters

Set the number of consecutive letters allowed in a password.

The value can be between 1 - 10 words.

Samsung Knox 1.0 and higher
>> Block function setting on lock screen

Allows blocking functions on the lock screen.

Consider the following:

  • The visibility of the notifications on the lock screen depends on the options you set in the application.
  • Samsung Knox 2.4 - 2.9 is supported for Knox Workspace devices.

Android 5 and higher
>>> Block functions on lock screen

Select the function to be blocked on the lock screen when a password policy is set on a device.

  • All — Blocks all functions on the lock screen.
  • Camera — Blocks direct camera control on lock screen.
  • Trust Agent — Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, or when devices are added.
  • Fingerprint — Blocks the fingerprint unlock function.
  • Previews in pop-ups — Displays notifications on the lock screen but hides private content set in the application.
  • Notifications — All notifications are hidden using the lock screen.

You can only implement this policy when the password level is set to pattern and higher.

> Maximum screen timeout Set the maximum time limit that a user can linger before screen timeout. Samsung Knox 2.0 and higher, Android 2.2 and higher
Connection attempt between server and device Allows Knox Manage to retry connecting according to the value that you specified when the device is disconnected from Knox Manage. If not specified, communication is reattempted twice every 15 minutes.
> Communication retry count

Set a retry count when a device is disconnected from Knox Manage and Knox Manage retries connecting to the device in 1 minute intervals.

If the device is disconnected continuously despite retrying on the specified count, Knox Manage retries connections according to the Communication retry interval (min) below.

The value can be between 1 - 60 times.

Android 1 (SDK 1) and higher
> Communication retry interval (min)

Set a retry interval for when a device is disconnected from Knox Manage. If Knox Manage receives the event that the device is available, the server tries to reconnect immediately despite the waiting time.

The value can be between 1 to 60 minutes.

Android 1 (SDK 1) and higher
Smartcard Browser Authentication

Allows Smartcard Browser Authentication within the internet browser.

When the policy is allowed, the Bluetooth security mode is applied while the device is connected to the smart card reader and the device does not accept other Bluetooth connections.

Consider the following:

  • To use this policy, Bluetooth smart card-related applications must be installed on the device and the smartcard must be registered in the Settings menu of the device.
  • Android 10 and higher devices are not supported.

Samsung Knox 1.0 and higher
Certificate deletion Prevents users from deleting the certificate in the Settings menu of the device. Samsung Knox 1.0 and higher
Certificate verification during installation Set the system to validate the certificate during installation. If the certificate fails validation, it cannot be installed. Samsung Knox 1.0 and higher
Attestation Communicates with the attestation server to determine whether the user's device is forged. If no option is selected, attestation is not processed. Samsung Knox 1.0.1 and higher
> Action when verification fails

Set the measure for when forgery of the device firmware is detected. If detected, the creation of a new Knox Workspace and the use of the existing Knox Workspace are prohibited.

  • Lock Knox Workspace — Locks the Knox Workspace.
  • Delete Knox Workspace — Deletes the Knox Workspace.
  • Lock device — Locks the device.

  •                 <p>Android 10 and higher devices are not supported.
                    </p>
                </div>
            </div>
                <li><strong>Factory reset + Initialization SD Card</strong> &mdash; Simultaneously factory resets the user's device and the SD card.</li>
                <li><strong>Factory reset</strong> &mdash; Resets the user device but not the SD card.</li>
            </ul>
        </td>
        <td>Samsung Knox 1.0.1 and higher</td>
    </tr>
    <tr>
        <td id="security-google-android-security-update-policy">Google Android security update Policy</td>
        <td>
            <p>Allows the user to select whether to receive updates on the device.</p>
            <p><strong>Forced use</strong> &mdash; Set to receive security updates by default.</p>
        </td>
        <td>Samsung Knox 2.6 and higher</td>
    </tr>
    

Kiosk

Configures Kiosk applications on a Kiosk device and controls the device settings.

Policy Description Supported system
Kiosk app settings

Select a Kiosk feature to use on a device.

Single App Mode — Runs a single application on the device's home screen.

Multi App Mode — Runs multiple applications that are developed using the Kiosk Wizard.

Web Mode — Opens webpages that are specified by the administrator.

Consider the following:

  • To use the Web Mode, the Kiosk Browser application must be registered as a Knox Manage application. For more details, contact the TMS administrator.
  • Kiosks are not available with non-Samsung Android Legacy devices.

Samsung Knox 1.0 and higher
> Set application

Click Select and select a single Kiosk application from the list. Alternatively, click Add and manually add applications. For more information about adding single applications, see Create a kiosk using the Kiosk Wizard.

Samsung Knox 1.0 and higher
> Set application

Click Select and select multiple Kiosk applications from the list. Alternatively, click New and create a MultiApp Kiosk using the Kiosk Wizard. To learn how to use the Kiosk Wizard, see Exploring Kiosk Wizard.

Samsung Knox 1.0 and higher
> Set Kiosk Browser When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser is automatically selected.
> Default URL Set the default page URL to call in the Kiosk Browser.
App Auto Update Set the Kiosk Browser to receive automatic app updates.
> Screen Saver

Use the screen saver for the Multi App Kiosk and the Kiosk Browser. When no user activity is sensed for a certain amount of time, as set in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files are shown on the device display.

  • The Screen Saver only runs while the device is charging.
  • The Screen Saver for the Kiosk Browser only runs while the device is connected to a power source.

>> Screen Saver Type Select either an image or video type screensaver.
>>> Image

Select image files for the screen saver. You can add up to 10 image files in PNG, JPG, JPEG, or GIF formats (animated files are not supported). Each image file must be less than 5 MB.

  • To upload an image file, click Add and select a file.
  • To delete an image file, click delete next to the name of the uploaded image file.

The device control command must be transferred to the device to apply an image file to it.

>>> Video

Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB.

  • To upload a video file, click Add and select a file.
  • To delete a video file, click delete next to the name of the uploaded video file.

The device control command must be transferred to the device to apply a video to it.

> Session timeout

Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL.

  • Apply — Enable the session timeout feature for the browser.
>> Time (sec)

Set the session timeout in seconds for the Kiosk Browser.

The value must be between 10 - 3600 seconds. The default value is 1800 seconds.

> Text Copy Allows the copying of text strings in the Kiosk Browser.
> Javascript Allows the running of the JavaScript contained in websites.
> Http Proxy Allows the use of an HTTP proxy for communications in the Kiosk Browser.
>> IP/Domain:Port Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.
> User agent settings key value

Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header.

User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.

> File Upload

Allows the user to upload files to websites through the Kiosk Browser.

Disallow is the default value.

Delete Kiosk app when policy is removed Allows deleting applications along with policies from the device when the applied policy is deleted. Samsung Knox 1.0 and higher
Task manager

Allows the use of the Task Manager.

You can use the function to disable the hardware key on SDK 2.5 or later.

Samsung Knox 1.0–2.4 and higher
System bar

Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom.

For non-Samsung devices, irrespective of whether you select Allow status bar only or Allow navigation bar only, both the status bar and the navigation bar are disabled.

Samsung Knox 1.0 and higher
Prohibit hardware key Allows the use of the hardware keys. Samsung Knox 1.0 and higher
> Disallow hardware keys

Select hardware keys to disable.

The availability of Hardware keys can vary by device.

If you do not allow the use of the Task Manager, then it does not run, even if the user tries to activate it by tapping the left menu key in the Navigation bar at the bottom of the device.

Samsung Knox 1.0 and higher
Multi windows Allows the use of multiple windows. This feature is available for devices that provide the functionality of multiple windows. Samsung Knox 1.0 and higher
Air command Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items show on the screen appear when the user brings an S pen close to the screen. Samsung Knox 2.2 and higher
Air view Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content. Samsung Knox 2.2 and higher
Edge screen Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera. Samsung Knox 2.5 and higher

App Restrictions

Configures options for application controls such as installation, verification, and permission.

Policy Description Supported system
Installation of application from untrusted sources

Allows the installation of applications from untrusted sources instead of just the Google Play Store.

Android 8 and higher is supported for Knox Workspace devices.

Samsung Knox 1.0 and higher
Play Store Allows the use of the Google Play Store. Samsung Knox 1.0 and higher
YouTube Allows the use of YouTube. Samsung Knox 1.0 and higher
App Installation Block/Allowlist Setting

Set to control the app installation policies.

If no apps are added to the Application installation blocklist and the Application installation allowlist, then no other apps except the Knox Manage agent are installed or run.

> App installation blocklist

Add apps to prohibit their installation.

  • To add an app, click Add, and then select apps in the Select Application window.
  • To add all apps, click Add all.
  • To delete an app, click delete next to the added app.

  • If a control app registered with a wildcard (*) in the package name is added to this policy, the specific package is not installed. For example, com.*.emm / com.sds.* / com.*.emm.*
  • Blocked apps cannot be installed and are deleted even if they were previously installed.
  • You cannot add an app that is on the on the Application installation allowlist to the blocklist.

Samsung Knox 1.0 and higher
> App installation allowlist

Add apps to allow their installation.

  • To add an app, click Add, and then select apps in the Select Application window.
  • To add all apps, click Add all.
  • To delete an app, click delete next to the added app.

  • If a control apps registered with a wildcard (*) in the package name is added to this policy, the specific package is not installed. For example, com.*.emm / com.sds.* / com.*.emm.*
  • Any apps not on the allowlist are deleted, even if they are not on the blocklist.
  • You cannot add an app that is on the Application installation blocklist to the allowlist.
  • Samsung Knox 2.0 and higher is supported for Knox Workspace devices.

Samsung Knox 1.0 and higher
App execution Block/Allowlist Setting

Set to control the app execution policies.

If the policy changes or Knox Manage is unenrolled, hidden apps reappear.

Android 8 (Oreo) or below is supported for non-Samsung devices.

> App execution blocklist

Add apps to prevent their execution. Icon of the blocked app disappears and users cannot run the app.

To add an app, click Add, and then select apps in the Select Application window.

To delete an app, click delete next to the added app.

Samsung Knox 1.0 and higher, Android 2.2 and higher
> App execution allowlist

Add apps to allow their execution. Icons of apps that are not on the allowlist disappear automatically. Knox Manage and the preloaded apps are automatically registered on the allowlist.

  • To add an app, click Add, and then select apps in the Select Application window.
  • To delete an app, click delete next to the added app.

You cannot add app that was added to the Application installation allowlist to the blocklist.

Samsung Knox 1.0 and higher, Android 2.2 and higher
App force stop prohibition list setting Set to prohibit apps from force stop.
> App force stop blocklist Add apps to prohibit from force stop. Samsung Knox 1.0 and higher
App execution prevention list setting Allows app installation but prevents app execution.
> App execution prevention list

Add apps to be displayed but not executable.

Listed apps can be installed and the icons are shown on the screen, but they are not allowed to run.

  • To add an app, click Add, and then select apps in the Select Application window.
  • To delete an app, click delete next to the added app.

You cannot add an app that is on the Application installation blocklist to the allowlist.

Samsung Knox 2.0 and higher
App uninstallation prevention list Settings Set to control the app uninstallation policies.
> App uninstallation prevention list

Add apps to prevent their uninstallation.

  • To add an app, click Add, and then select apps in the Select Application window.
  • To delete an app, click delete next to the added app.
Samsung Knox 1.0 and higher
Action when apps are compromised

Select from one of the following actions to take if an internal or a kiosk application is compromised:

  • Disallow running — Prohibits the application's execution.
  • Uninstall — Deletes an application.
  • Lock device — Locks the user's device.
  •                 <p>Android 10 and higher devices are not supported.</p>
                </div>
            </div>
                <li><strong>Notify Alert</strong> &mdash; The compromised status of the device is reported on the <strong>Dashboard</strong>.</li>
                <li><strong>Factory reset + Initialize SD card</strong> &mdash; Simultaneously resets a user device and the SD card.</li>
                <li><strong>Factory reset</strong> &mdash; Resets the user device but not the SD card.</li>
            </ul>
            <div class="notice-note">
                <p>Actions such as lock device, factory reset, and the notify alert are applied but only for general Android devices and not for Samsung Galaxy and LG Electronic devices.</p>
            </div>
        </td>
        <td>Samsung Knox 1.0 and higher</td>
    </tr>
    <tr>
        <td id="application-battery-optimization-exceptions">Battery optimization exceptions</td>
        <td>
            <p>Set to exempt applications from the battery optimization function. This policy may cause battery loss.</p>
            <div class="notice-note">
                <p>This policy is for devices running Android (Nougat) or later.</p>
            </div>
        </td>
        <td></td>
    </tr>
    <tr>
        <td id="application-app-excluded-battery-optimization">&gt; Apps excluded battery optimization</td>
        <td>Add applications to exempt them from the battery optimization function.</td>
        <td>Samsung Knox 2.7 and higher</td>
    </tr>
    

Location

Allows the use of GPS or collecting location data from a device.

Policy Description Supported system
Report device location

Allows collection of location data.

User consent — Allows location data collection only with the user's consent.

  • When this policy is set to User consent, location data can only be collected after the user allows collection of device location data in the permission pop-up. The Report device location policy has a higher priority than the GPS policy or the locate the current position device command.
  • For devices running Android 10 and higher, this policy is supported only when the GPS is enabled in the device settings.

Samsung Knox 1.0 and higher, Android 2.3 and higher
> Report device location interval

Set an interval period to save the location data of the device.

To set the collection interval, select either Allow or User Consent for the Report device location policy.

Samsung Knox 1.0 and higher, Android 2.3 and higher
High Accuracy Mode Set to use for collecting accurate GPS locations of the devices. Samsung Knox 1.0 and higher, Android 2.3 and higher

Browser

Allows the use of the default web browser and configures the settings for it.

Browsers must restart before the changes are applied.

Policy Description Supported system
Android browser

Allows using the Android browser.

The disallowed setting or blocklist setting takes priority over others. If the disallowed setting is configured in any of the Android browser or the application blocklist policies, the Samsung Internet browser is launched.

Samsung Knox 1.0 and higher
> Cookies

Allows cookies in the Android browser.

If cookies are not allowed, you cannot access websites that authenticate users with cookies.

Samsung Knox 1.0 and higher
> JavaScript Allows JavaScript in the Android browser. Samsung Knox 1.0 and higher
> Autofill Allows auto-completion of information that you enter on websites in the Android browser. Samsung Knox 1.0 and higher
> Pop-up block Allows blocking pop-ups in the Android browser. Samsung Knox 1.0 and higher
Browser proxy URL

Set the proxy server address for the Android browser in the general area.

Enter the value in the form of IP:port or domain:port in the fields.

  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 4.0.1 - 5.6.

Samsung Knox 1.0.1 and higher

Phone

Configures the phone settings, such as airplane mode, the microphone, and the cellular network settings.

Policy Description Supported system
Airplane mode Allows the use of airplane mode. Samsung Knox 2.0 and higher
Cellular data connection

Allows the use of a cellular data connection.

This policy is applied after internal applications that have been set as Automatic (Non-removable) are installed. If the cellular data connection policy is not applied successfully, the device tries again to apply this policy 30 minutes later after Knox Manage is activated.

Samsung Knox 1.0 and higher
Prohibit voice call Prohibits incoming and outgoing voice calls. Samsung Knox 1.0 and higher
> Voice call

Specifies the types of voice call to block:

  • Incoming — Blocks incoming voice calls only.
  • Outgoing — Blocks outgoing voice calls only

If both are selected, only emergency calls can be received or made.

> Incoming Call Blocklist

Add phone numbers to the blocklist to block incoming voice calls.

  • To add a phone number, enter it in the field and click add.
  • To delete a phone number, click delete next to it.
> Outgoing Call Blocklist

Add phone numbers to the blocklist to block outgoing voice calls.

  • To add a phone number, enter it in the field and click add.
  • To delete a phone number, click delete next to it.
Data usage limit Allows the limiting of data usage. Samsung Knox 1.0 and higher
Data usage restrictions

Limits the maximum data usage for user devices. If data usage exceeds the limit set on a device, data use is no longer available.

To get precise information on the amount of usage, changing the date and time must not be allowed.

Samsung Knox 1.0 and higher
> Maximum usage

Set the maximum data amount for user devices for 1 day, 1 week, or 1 month.

  • Daily usage is calculated at 12:00 PM each day, weekly usage on Sundays, and monthly usage on the first day of each month.
  • When the maximum data amount is reached, the data network connectivity is blocked. But if the user allows the data network, the data usage of the user device is reset.

Data connection during roaming Allows data connection when roaming. Samsung Knox 1.0 and higher
WAP push during roaming Allows WAP push communication while using roaming. Samsung Knox 1.0 and higher
Data sync during roaming Allows data synchronization while roaming. Samsung Knox 1.0 and higher
Voice calls during roaming Allows voice calls while roaming. Samsung Knox 1.0 and higher
Disallow SMS and MMS Prohibits sending and receiving SMS or MMS messages. Samsung Knox 1.0 and higher
> Disallow Incoming and Outgoing SMS and MMS

Specifies the types of SMS and MMS messages to block.

At least one of the types should be selected.

> Incoming SMS Blocklist

Add phone numbers to the blocklist to block incoming SMS/MMS messages.

  • To add a phone number, enter it in the field and click add.
  • To delete a phone number, click delete next to it.
> Outgoing SMS Blocklist

Add phone numbers to the blocklist to block outgoing SMS/MMS messages.

  • To add a phone number, enter it in the field and click add.
  • To delete a phone number, click delete next to it.
Set app voice recording allowlist

Allows recording phone conversations.

If unspecified, voice recording is not allowed.

Samsung Knox 3.0 and higher
> App voice recording allowlist

Add applications that are allowed to record phone conversations to the allowlist.

  • The registered voice recording applications cannot be deleted after being activated. To remove the registered applications, you must factory reset the device.
  • If the registered voice recording applications are activated on a device, the device USB connection is blocked.

Samsung Knox 3.0 and higher

Firewall

Configures the IP or a domain firewall policy for each application.

The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same address, a separate configuration is required.

  • If there are multiple firewalls, restricted firewalls have a higher priority.
  • If a firewall is configured to all applications as well as in specific applications, the policy for each application has a higher priority.
Policy Description Supported system
Firewall

Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.

Samsung Knox 1.0 - 2.4.1 is supported for Knox Workspace devices.

Samsung Knox 1.0 - 2.4.1
> Permitted Policy (IP)

Input values to permit the target IP and port address. Configure the following:

  1. Enter or click Add to search the Package Name of the application.
  2. Input the IP Address (range) and Port (range).
  3. Select the Network Type:
    • All
    • Data — Only mobile network access is enabled.
    • Wi-Fi — Only Wi-Fi network access is enabled.
  4. Select Port Range:
    • All
    • Local — Port access from the device is enabled.
    • Remote — Port access from the target server is enabled.
  5. Click add to add.

  • Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited policy (IP) ranges.
  • Samsung Knox 2.5 is supported for Knox Workspace devices.

> Prohibited Policy (IP)

Input values to permit the target IP and port address. Configure the following:

  1. Enter or click Add to search the Package Name of the application.
  2. Input the IP Address (range) and Port (range).
  3. Select the Network Type:
    • All
    • Data — Only mobile network access is enabled.
    • Wi-Fi — Only Wi-Fi network access is enabled.
  4. Select Port Range:
    • All
    • Local — Port access from the device is enabled.
    • Remote — Port access from the target server is enabled.
  5. Click add to add.

  • Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited policy (IP) ranges.
  • Samsung Knox 2.5 is supported for Knox Workspace devices.

Samsung Knox 2.5 and higher
> Permitted Policy (Domain)

Input values to permit the target domain address.

  1. Enter or click Add to search the Package Name of the application.
  2. Input the IP Address (range) and Port (range).

  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name. For example, *android.com / www.samsung*
  • Samsung Knox 2.6 is supported for Knox Workspace devices.

Samsung Knox 2.6 and higher
> Prohibited policy (Domain)

Input values to disable the target domain address.

  1. Enter or click Add to search the Package Name of the application.
  2. Input the IP Address (range) and Port (range).

  • Use a wildcard character (*) to disable a specific domain.
  • Samsung Knox 2.6 is supported for Knox Workspace devices.

Samsung Knox 2.6 and higher
> DNS setting

Input values to specify the domain server address of all applications or registered applications.

  1. Enter or click Add to search the Package Name of the application.
  2. Input DNS values.
    • DNS1 — Primary DNS.
    • DNS2 — Secondary DNS.

Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.

Samsung Knox 2.7 and higher

Logging

Allows performing logging and configuring the settings.

Policy Description Supported system
Save logs

Set to enable the save logs feature.

Enable — Set to perform logging. This is the default value.

Disable — Cannot record device logs.

If this policy is not specified, the Knox Manage performs logging with the DEBUG level.

Samsung Knox 1.0 and higher, Android 1 and higher
> Log level

Select a log level.

  • DEBUG — Logs detailed device information for the developers.
  • INFO — Logs device information for the administrators.
  • WARNING — Logs information that are not errors, but the ones that require special attention for the administrators.
  • ERROR — Logs error information.
  • FATAL — Logs critical error information, such as system interruption.
Samsung Knox 1.0 and higher, Android 1 and higher
> Maximum log size (MB)

Enter value for the maximum log size.

The value can be between 1 - 20 MB.

Samsung Knox 1.0 and higher, Android 1 and higher
> Maximum days for storage (day)

Enter value for the maximum days for log storage.

The value can be between 1–30 MB.

Samsung Knox 1.0 and higher, Android 1 and higher

DeX

Allows the use of DeX mode, an interface to use a mobile device like a desktop.

Samsung DeX is an accessory that extends the functionality of a mobile device. By connecting a monitor, keyboard, and mouse to a DeX docking station, the mobile device can function as a desktop computer.

In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blocklist setting.

Policy Description Supported system
DeX mode

Allows the use of DeX mode.

  • Disallow — The DeX station does not function even if a mobile device is mounted on it.
Samsung Knox 3.0 and higher
Ethernet only Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked. Samsung Knox 3.0 and higher
Application execution blocklist(Android) Use the blocklist for running DeX applications. Samsung Knox 3.0 and higher
> Application execution blocklist

Prohibits launching the specified applications.

  • To add an application, click Add, and then select applications in the Select Application window.
  • To delete an application, click delete next to the added application.

  • Any applications that already have been added to the Application allowlist cannot be added to the Application blocklist.
  • When this policy is enabled and applied, the icons of the blocked applications disappear so that users cannot launch them. However, the applications are not deleted. The icons reappear once the policy is changed or Knox Manage is disabled.

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

Click add to add a configuration.

You can add or edit up to 50 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Network Name (SSID)

Enter an identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Remove available Allows users to delete the Wi-Fi settings.
Security type Specifies the access protocol used and whether certificates are required.
> WEP Set a WEP KEY from WEP KEY 1 to 4.
> WPA/WPA2-PSK Enter a password.
> 802.1xEAP

Configure the following items:

  • EAP Method — Select an authentication protocol from among PEAP, TLS, and TTLS.
  • 2-step authentication — Select one from PAP, MSCHAP, MSCHAPV2, or GTC as a secondary authentication method. This is available when EAP Method is set to TTLS or TLS.
  • User information input method — Select an input method for entering user information.
  • Manual Input — Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
  • Connector interworking — Choose a connector from the User Information Connector.
  • User Information — Use the user information registered in Knox Manage to access Wi-Fi.
  • User certificate input method — Select a user certificate confirmation method.
  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.
  • CA certificate — Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root are included on the list.
Proxy configuration Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.
> Manual

Configure the proxy server manually.

  • Proxy host name — Enter the host name of the IP address of the proxy server
  • Proxy port — Enter the port number used by the proxy server
  • Proxy exception — Enter the IP address or domain address that cannot be accessed through the proxy server.
  • Server authentication — If server authentication is required to use the proxy server, check this box.
  • User name — Enter the username for the proxy server.
  • Password — Enter the password for the proxy server.
> Proxy automatic configuration

Configure the proxy server automatically.

You should enter a PAC web address in the PAC web address field, the URL of the PAC file that automatically determines which proxy server to use.

Exchange

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

You can add more Exchange policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each exchange setting.
Description Enter a description for each exchange setting.
Remove available Allows users to delete the exchange settings.
Office 365 Allows to configure the Exchange settings by automatically filling out the Exchange server address and the SSL option as Use.
User information input method Select an input method for entering user information.
> Manual Input

Select to manually enter the email address, account ID, and password of a user.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

> Connector interworking

Select to choose a connector from the User Information Connector list.

All the connectors are listed in Advanced > System Integration > Directory Connector.

> User Information Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user's device.
Domain

Enter a domain address for the exchange server.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Exchange server address

Enter the exchange server information such as IP address, host name or URL.

If Office365 is selected, outlook.office365.com is automatically entered.

Sync measure for the early data Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the email application settings.
User certificate input method Select an input method for entering certificate information.
> EMM Management Certificate

Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • User Certificate — Select a certificate to use from the User Certificate list.

> Connector interworking

Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.

When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • User certificate Connector — Select a connector to use from the User certificate Connector list.
> Issuing external CA

Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.

  • Issuing external CA — Select an external CA to use from the Issuing external CA list.
Sync calendar Syncs schedules on a calendar from an Exchange server or a mail server to a device.
Sync contacts Syncs contact information in a phone book from a server to a device.
Sync task Syncs tasks items from a server to a device.
Sync notes Syncs notes from a server to a device.
SSL

Set to use SSL for email encryption.

If Office365 is selected, the SSL option is automatically set to Use.

Signature Enter the email signature to use.
Notification Notifies the user of new emails.
Always vibrate on notification Notifies the user of new emails with a vibration.
Silent notification

Mutes email notifications.

Always vibrate on notification and Silent notification cannot be used at the same time.

Attachment capacity (byte)

Enter the email attachment file size limit in bytes.

The input value ranges from 1 to 52428800 (50MB).

Maximum Size of Email Body (Kbyte) Select a maximum value for the email body size. This value is only set once during the initial Exchange ActiveSync setup.
> Default Size of Email Body (Kbyte) Select the default value for the email body size. This value is only set once during the initial Exchange ActiveSync setup.

Email Account

Configures the settings of a POP or IMAP email account.

Click add to add a configuration.

You can add or edit up to 50 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each email account setting.
Description Enter a description for each email account setting.
Remove available Allows users to delete the email account settings.
Default Account Specifies to use the default account.
User information Input Method Select an input method for entering user information.
> Manual Input

Select to manually enter the email address, server ID and password of a user.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

> Connector interworking

Select a connector from the user information connector list.

The connectors are listed in Advanced > System Integration > Directory Connector.

> User information

Select to access the relevant mail server using the registered Knox Manage email, ID, and password.

You must enter the password from the user's device.

Incoming Server Protocol Select between the POP3 (pop3) and IMAP (imap) protocol.
Outgoing Server Protocol Entered automatically as SMTP.
Incoming Server Address/port Enter the Incoming Server address/port in a provided format.
Outgoing Server Address/port Enter the outgoing server address/port and port in a provided format.
Incoming Server ID

Enter an incoming server ID to sign in to the incoming mail server manually.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

This protocol is only available when Manual Input is selected.

Outgoing Server ID

Enter an outgoing server ID to manually sign in to the outgoing mail server.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

This protocol is only available when Manual Input is selected.

Incoming Server Password

Enter an incoming server password to manually sign in to the incoming mail server.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

This protocol is only available when Manual Input is selected.

Outgoing Server Password

Enter an outgoing server password to manually sign in to the outgoing mail server

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

This protocol is only available when Manual Input is selected.

Incoming SSL Select to use SSL for encryption.
Outgoing SSL Select to use SSL for encryption.
Notification

Select an email notification method.

  • Enable Notification — Activates email notification.
  • Enable 'Always notify by vibrate mode' — Notifies the user of new emails with a vibration.
  • Disable Notification — Deactivates email notification.
All incoming certificates Allows receiving certificates.
All outgoing certificates Allows sending certificates.
Signature Enter an email signature to use.
Account Name Assign an account name.
Sender Name Assign a sender name.

Bookmark

Configures the bookmark settings, such as the configuration ID and installation area.

You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on Samsung Galaxy devices. Click add to add a configuration.

You can add or edit up to 100 configurations when you save the profile.

  • Browsers must be closed and opened again to apply the changes.
  • Even if a user modifies a registered bookmark or registers a bookmark with the same URL and name, it is not deleted when the bookmark setting is deleted.
  • Even if a user manually deletes the set bookmark, due to the limitations of Samsung devices, the application may still appear to be installed. In this case, you have to delete the bookmark in the profile, and then recreate the bookmark.
  • The auto-installation of Bookmark settings is supported on devices running Android 6 Marshmallow or Android 7 Nougat, and only when BookMark is chosen in the Installation area.
Policy Description
Configuration ID Assign a unique ID for each bookmark setting.
Description Enter a description for each bookmark setting.
Installation area

Specifies a location to install the bookmark.

  • BookMark — Saves a bookmark in the S browser.
  • Shortcut — Creates a shortcut for the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher.

If a Shortcut was selected, auto installation is not supported.

Shortcut icons may not be able to be created depending on the type of launcher set by the user. An administrator cannot delete the shortcut icon, but the user can delete it manually.

Bookmark page URL Enter a website address to go to when a bookmark is selected.
Bookmark name Enter the bookmark name to be displayed as a title in the bookmark.

APN

Configures the APN (Access Point Name) settings.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Enter an APN name to be displayed on the device.
Description Enter a description for an APN.
Remove available Allows users to delete APN settings. If you choose Disallow, then the button used to delete APN settings is disabled.
Access Point Name (APN) Enter the name of the access point.
Access Point Type

Select the type of the access point.

  • Default — default type.
  • MMS — Multimedia Messaging Service.
  • Supl — IP-based protocol to receive GPS satellite signals.
Mobile Country Code (MCC) Enter the country code for the APN.
Mobile Network Code (MNC) Enter the carrier network code for the APN.
MMS Server (MMSC)

Enter the server information for sending multimedia messages.

  • MMS Proxy Server — Enter the information of the proxy server for sending multimedia messages.
  • MMS Proxy Server Port — Enter the port number of the proxy server for sending multimedia messages.
Server Enter the WAP gateway server name.
Proxy Server Enter the information of the proxy server.
Proxy Server Port Enter the port number of the proxy server.
Access Point User Name

Enter the user name of the access point.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Access Point Password

Enter the password of the access point.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Authentication Method

Select an authentication method.

  • None — Disables authentication.
  • PAP — Requires a user name and password for authentication.
  • CHAP — Uses encryption with a Challenge string for authentication.
  • PAP or CHAP — Uses the PAP or CHAP authentication method.
Set as Preferred APN Applies APN settings to the device.

Knox VPN

Configures a VPN (Virtual Private Network) on Samsung Galaxy devices.

Knox VPN settings are provided to help you set up a VPN on a Samsung Galaxy device more easily. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

When Knox Workspace is used on an Android Legacy device, only one Knox VPN can be set on a device regardless of the Knox Workspace area or general area. If the Knox VPN vendor is Cisco, then it can be installed in both areas. To use a Knox VPN on both areas, you need to install the vendor’s VPN Client application in each area.

Policy Description
Configuration ID Assign a unique ID for the Knox VPN setting.
VPN name Enter a VPN name to display on the user device.
Description Enter a description for the Knox VPN setting.
Remove available Allows users to delete the Knox VPN settings.
VPN vendor name

Select a VPN vendor from between Cisco and User defined. Input fields vary depending on the selected VPN vendor name.

Select User defined to set up a different vendor's VPN service, such as the Sectra mobile VPN.

VPN client vendor package name Entered automatically according to the selected VPN vendor name. If User defined is selected, you must manually enter this protocol.
VPN type Select a protocol.
Entering methods for Knox VPN

Select an entering method for Knox VPN information.

Input fields vary depending on the selected VPN vendor and the entering method.

Upload Knox VPN profile

Allows uploading a Knox VPN profile when you set Entering methods for Knox VPN to Upload profile.

You can upload a text file in the JSON format. JSON varies depending on the VPN vendor and VPN type.

For more information about sample files, see the sample file of a Sectra Mobile VPN configuration in Entering a VPN vendor manually and see the sample file of Cisco VPN configuration in Sample file for uploading a Knox VPN profile.

User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.
  • When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.
CA Certificate Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Knox VPN and the Type set as Root shows on the list.
Server certificate Select a certificate to use from the certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as Knox VPN and the Type set as User shows on the list.
FIPS mode

Allows the use of FIPS mode.

FIPS (US Federal Information Processing Standards) encrypts all data with FIPS-140-2 authentication modules between the server and client.

Auto Re-connection Allows connecting automatically when an error occurs.
VPN route type by application

Select to use a VPN for selected applications or for all applications in the General area.

  • By Application — Click Add next to The VPN applied package name per app and select applications, and then click Save.
  • All packages of general area — All applications in the General area are subject to a VPN.

Entering a VPN vendor manually

To use a VPN provided by a vendor other than Cisco, select User defined in the VPN vendor name field. Then upload a text profile in the JSON format. You must install the VPN Client on the device before using a VPN.

For example, when a Sectra VPN is used, set the options as follows:

  1. Enter com.sectra.mobilevpn in the VPN client vendor package name field.
  2. Set VPN type to SSL.
  3. Click Add next to Upload Knox VPN profile and upload a configuration file with the Sectra Mobile VPN configuration parameters set.
    • Upload a file in the JSON format to fully integrate the Sectra Mobile VPN on the Knox Manage console.
    • Set the parameters as shown in the example below.
Parameter Description Example
profileName The name of the VPN configuration profile that is listed on the Knox Manage application and the VPN client GUI. Sectra Mobile VPN
servers A list of 1–6 VPN servers with IP addresses and a network port. This list is in an order of priority, with the default VPN server being the first on the list. The remaining VPN servers are used only if the default server is damaged.
[
    {"address":"1.1.1.1","port":443},
    {"address":"2.2.2.2", "port":444},
    {"address":"3.3.3.3", "port":445}
]
pkcx12BaseUrl A download server's HTTP/S URL, where the encrypted key materials are downloaded to. http://download.server.com/certs/
mtuSize

The MTU (Magnetic Tape Unit) is a size used on Knox Manage's virtual network interface. It is the maximum size for the outgoing UDP (User Datagram Protocol) tunnel packets before being fragmented

The value must be between 576–1500 bytes.

1300
UseDtle

Determines whether a DTLS tunnel is used. A DTLS tunnel should be used if sensitive data is being transmitted in real-time.

For example, when streaming video and/or using VoIP calls.

The value must be either True or False. If unsure, set to True.

True
diffServe

Tunnel packets' Quality of Service (QoS) tag sent from a client. Differentiated service is part of an IP header.

The value must be between 0–63. 0 means disabled.

0
tcpKeepAlive

Timer value for the interval of a KeepAlive packet sent from a TCP tunnel.

The value must be between 1–18000.

  • Sectra recommends to set this value as 1200 seconds since is compatible with most mobile networks.

The timer value is an important parameter and you must exercise caution when selecting it.

1200
dtlsInactivityTimeout

The timer value for the standby period of a DTLS tunnel that determines how long it idles without receiving any data before it goes inactive.

The value must be between 1–300 seconds.

Sectra does not recommend setting this value to 300 seconds.

30
trafficProfiles 1–3 traffic profiles the users can choose, for when a normal configuration is not sufficient. Traffic profiles can change the following configuration parameters: mtuSize, useDtls, diffServ, tcpKeepAlive and/or dtlsInactivityTimeout. The traffic profile also requires the name of the profile which is shown in the client GUI.
[
    {"profileName":"BadNetworkProfile","mtuSize":800, "tcpKeepAlive":600},
    {"profileName":"RealTimeProfile","mtuSize":1500, "useDtls":"true", "diffServ":63}
]

Sample file for uploading a Knox VPN profile

The following is a sample file of a Sectra Mobile VPN configuration:

    {
        "KNOX_VPN_PARAMETERS": {
            "profile_attribute": {
                "profileName":"Sectra Mobile VPN",
                "vpn_type":"ssl",
                "vpn_route_type":1
            },
            "knox": {
                "connectionType":"keepon"
            },
            "vendor": {
                "connection": {
                    "servers": [
                        {
                            "address":"1.1.1.1",
                            "port":443
                        },
                        {
                            "address":"2.2.2.2",
                            "port":444
                        },
                        {
                            "address":"3.3.3.3",
                            "port":555
                        }
                    ],
                    "ssl": {
                        "basic": {
                            "pkcs12BaseUrl":"http://download.server.com/certs/",
                            "mtuSize":1300,
                            "useDtls":true,
                            "diffServ":0,
                            "tcpKeepalive":1200,
                            "dtlsInactivityTimeout":30
                        }
                    }
                },
                "trafficProfiles": [
                    {
                        "profileName": "BadNetworkProfile",
                        "mtuSize":800,"tcpKeepAlive":600
                    },
                    {
                        "profileName":"RealTimeProfile",
                        "mtuSize":1500,
                        "useDtls":"true",
                        "diffServ":63
                    }
                ]
            }
        }
    }

Configuring a Knox VPN profile manually

You can manually enter a profile only when the VPN vendor is Cisco. Select Manual Input in the Entering method for Knox VPN field. Then set the options as follows:

  1. Enter the IP address, host name, or URL of the VPN server in the Server address.
    • The VPN route type, which enables the use of VPN tunneling, is automatically entered.
  2. Select to use user authentication.
  3. Select a VPN connection type.
    • Keep On — Keep the VPN connection acitve.
    • On Demand 0151Connect to the VPN upon request.
  4. Select the chaining type.
  5. Select to use the UID PID.

Sample file for uploading a Knox VPN profile

The following is a sample file with Cisco as the VPN vendor and IPSec as the VPN type:

    {
        "KNOX_VPN_PARAMETERS": {
            "profile_attribute": {
                "profileName":"c1",
                "host":"12.3.456.78",
                "isUserAuthEnabled":true,
                "vpn_type":"ipsec",
                "vpn_route_type":1
            },
            "ipsec": {
                "basic": {
                    "username":"",
                    "password":"",
                    "authentication_type":1,
                    "psk":"",
                    "ikeVersion":1,
                    "dhGroup":0,
                    "p1Mode":2,
                    "identity_type":0,
                    "identity":"test@sta.com",
                    "splitTunnelType":0,
                    "forwardRoutes": [
                        {"route":""}
                    ]
                },
                "advanced": {
                    "mobikeEnabled":false,
                    "pfs":true,
                    "ike_lifetime":"10",
                    "ipsec_lifetime":"25",
                    "deadPeerDetect":true
                },
                "algorithms": {
                }
            },
            "knox": {
                "connectionType":"keepon",
                "chaining_enabled":"-1",
                "uidpid_search_enabled":"0"
            },
            "vendor": {
                "setCertCommonName":"space",
                "SetCertHash":"pluto",
                "certAuthMode":"Automatic"
            }
        }
    }

The following is a sample file with Cisco, as the VPN vendor, and SSL, as the VPN type:

    {
        "KNOX_VPN_PARAMETERS": {
            "profile_attribute": {
                "profileName":"c3",
                "host":"cisco-asa.gnawks.com",
                "isUserAuthEnabled":true,
                "vpn_type":"ssl",
                "vpn_route_type":1
            },
            "ssl": {
                "basic": {
                    "username":"demo",
                    "password":"samsung",
                    "authentication_type":1,
                    "splitTunnelType":0,
                    "forwardRoutes": [{
                        "route":""
                    }]},
                    "algorithms": {
                        "ssl_algorithm":0
                    }
            },
            "knox": {
                "connectionType":"keepon",
                "chaining_enabled":"-1",
                "uidpid_search_enabled":"0"
            },
            "vendor": {
            "setCertCommonName":"space",
            "SetCertHash":"pluto",
            "certAuthMode":"Automatic"
            }
        }
    }

VPN

Configures a VPN (Virtual Private Network) on Android devices.

You can configure the VPN settings to connect to a private network through a public network. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for the VPN setting.
VPN Name Enter a VPN name to display on the user device.
Description Enter a description for the VPN setting.
Remove available Allows users to delete the VPN settings.
Connection type

Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type.

  • PPTP — Set if PPP should be encrypted (MPPE).
  • L2TP/IPSec PSK — Enter parameters in the L2TP Secret Key, IPSec Identifier, and IPSec Pre-shared Key fields.
  • L2TP/IPSec RSA, IPSec Xauth RSA, IPSec Hybrid RSA — Select a root certificate from IPSec CA Certificates. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as VPN and the Type set as Root are included on the list.
  • IPSec Xauth PSK — Enter parameters in the IPSec Identifier and IPSec Pre-shared Key fields.
Server address Enter the IP address, host name, or URL of the VPN server that the device needs to access.
User information input method

Select an input method for entering user information.

  • Manual Input — Enter the user ID and Password for the VPN connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
  • Connector interworking — Choose a connector from the User information Connector. All the connectors are listed in Advanced > System Integration > Directory Connector.
  • User Information — Use the user information registered in Knox Manage to access the VPN.
PPP Encryption (MPPE) Allows to encrypt data for the VPN connection.
DNS search domain Enter the DNS name.
DNS server Enter the DNS server address.
Forwarding route This is automatically entered when Subnet Bits is selected.
Subnet Bits The value can be set as none or select from /1 to /30.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add external certificates.

    When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.
Certification category

Select a certification category when EMM Management Certificate is selected in User certificate input method,

  • CA certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list.
  • User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User are included on the list.

Is this page helpful?