Android Legacy policies

Last updated April 3rd, 2024

With 23.03, Knox Manage no longer supports the Android Legacy (also known as Device Admin ) platform. The Knox Manage team strongly recommends that you migrate to the Android Enterprise platform.

This section describes the policies you can configure for Android Legacy devices.

The availability of each policy varies depending on the OS version.

System

Provides backup and restore settings, developer options, and other features. Updates the operating system on a device.

Policy	Description	Supported system
Factory reset	Allows a device factory reset. Disallow — Factory reset using the hardware button is prevented. However, factory reset using the firmware update utility cannot be prevented.	Samsung Knox 1.0 and higher
Power off	Allows you to shut down and power off the device. Disallow — The power off option menu does not appear even with the use of a power button. However, powering off by separating the battery cannot be prevented. Factory reset is prohibited if this policy is disallowed.	Samsung Knox 1.0 and higher
Backup	Allows backup of the device data. If you can find the backup function on your device at Google > Backup, it may seem as if you can turn the backup setting on or off, even if this policy is set to Disallow. However, note that when the Backup policy is set to Disallow, the device's backup functionality is limited regardless of the UI shown on the device.	Samsung Knox 1.0 and higher
OTA upgrade	Allows an OTA upgrade for the device.	Samsung Knox 1.0 and higher
Settings	Allows the configuration of the System Settings.	Samsung Knox 1.0 and higher
System app close	Allows force closing system applications.	Samsung Knox 1.0 and higher
App crash report to Google	Allows reporting the application error occurrence information to Google.	Samsung Knox 1.0 and higher
Multiple users	Allows multiple users.	Samsung Knox 1.0 and higher
Expand status bar	Allows the expansion of the status bar.	Samsung Knox 1.0 and higher
Wallpaper Change	Allows changing the home and the lock screens.	Samsung Knox 1.0 and higher
Automatic Date and Time	Allows changing the date and time.	Samsung Knox 1.0 and higher
Camera	Allows using the camera. If the camera in the general area is restricted, the camera in the Knox Workspace is also restricted.	Samsung Knox 1.0 and higher, Android 4 and higher
>Face recognition camera	Allows use of the camera for face unlock even when the camera is disabled in the Camera policy. This policy is available when Camera is set to Disallow all.	Samsung Knox 3.2.1 and higher
Screen capture	Allows use of the default screen capture function.	Samsung Knox 1.0 and higher
Clipboard	Allows the clipboard feature throughout the entire system. Allow within the same app — Allows using the clipboard feature only within the same application.	Samsung Knox 1.0 and higher
Share via apps	Allows the share app function.	Samsung Knox 1.0 and higher
S Beam	Allows using Android Beam which transfers data using NFC.	Samsung Knox 1.0 and higher
Encryption for storage	Specifies the encryption of the device's system storage or the external SD card.	Samsung Knox 1.0 and higher, Android 1 and higher
> Storage encryption	Check the check box to select the storage to be encrypted. External SD card encryption is applicable to Samsung Galaxy devices only.
External SD Card	Allows using the external SD card.	Samsung Knox 1.0 and higher
> Write to external SD card	Allows writing to an external SD card. If the external SD card policy is allowed but the Write to external SD card policy is not, then external SD cards can only be read and do not have reset control.	Samsung Knox 1.0 and higher
Unauthorized SD Card	Allows using unauthorized SD cards.	Android 1 (SDK1 and higher)
If compromised OS is detected	Select the control function to be triggered if device OS tampering is detected. Lock device — Locks the device. Android 10 and higher devices are not supported. Lock Email — Locks email use. Factory reset + Initialize SD card — Simultaneously factory resets the user device and the SD card. Factory reset (only) — Resets the user device but not the SD card. The factory reset (only) function is unsupported in Android 2 and lower. To reset the device, select the Factory reset + Initialized SD card option.	Samsung Knox 1.0 and higher
Smart Select	Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else.	Samsung Knox 2.2 and higher
Device Administrators to install and activate apps	Specifies to run or install EMM applications other than the Knox Manage application. Allow — Allows installing or enabling EMM applications. Disallow installation — Disallows installing EMM applications. Disallow activation — Disallows enabling EMM applications. You cannot control this policy if another EMM application is active before the policy was set.	Samsung Knox 2.0 and higher
> Exceptional app allowlist	Allows installing or activating select EMM applications by adding them to the allowlist. This policy is available only when the Device Administrator to Install and Activate apps policy is set to Disallow installation or Disallow activation. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application. Disallow installation — Only the allowed applications can be installed. Disallow activation — Only the allowed applications can be activated.	Samsung Knox 2.0 and higher
Developer mode	Allows using the developer mode.	Samsung Knox 2.0 and higher
> Background process limitation	Allows setting the default number of background processes. If this policy is disabled, the number of background processes is set to the maximum number.	Samsung Knox 1.0 and higher
> Quit application upon killing activities	Enables closing all running applications when the user signs out of the device. If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.	Samsung Knox 1.0 and higher
> Mock location	Allows using the mock location, which specifies an arbitrary location for development or test purposes. Use this policy if location information from the Update Device Information of the Send Device Command seems incorrect.	Samsung Knox 1.0 and higher
Safe mode	Allows using Safe Mode. This policy retains device control functions such as camera control, but not Knox Manage applications and preloaded applications.	Samsung Knox 1.0 and higher
Reboot banner	Allows using the reboot banner which appears on the user's device when the device reboots.	Samsung Knox 1.0 and higher
> Reboot banners stationery	Enter the text for the reboot manager. You can enter up to 1000 bytes. You can customize banners for Samsung Knox 2.2 and higher devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed.	Samsung Knox 2.2 and higher
Domain Blocklist Settings	Allows using the domain blocklist.	Samsung Knox 1.0 and higher
> Domain Blocklist	Enter a domain blocklist that should not be used when registering an Exchange or email account. To add a domain, enter the domain name in the field, and click Add. To delete a domain, click next to the added domain name.
Network Time Protocol Settings	Allows using the Network Time Protocol (NTP). Register this server to sync the server time to a device.	Samsung Knox 2.5 and higher
> Server address	Enter the NTP server address.	Samsung Knox 2.5 and higher
> Maximum number of attempts	Set the maximum number of attempts for connecting to the NTP server to retrieve the time information. The value can be between 1–100 times.	Samsung Knox 2.5 and higher
> Polling cycle (hr)	Set the cycle to reconnect to the server using NTP. The value can be between 1–8760 hours (8760 = 1 year).	Samsung Knox 2.5 and higher
> Short polling cycle (sec)	Set the cycle to re-connect to the NTP server after experiencing a timeout. The value can be between 1–1000 seconds.	Samsung Knox 2.5 and higher
> Timeout (sec)	Set the connection timeout on the NTP server. The value can be between 1–1000 seconds.	Samsung Knox 2.5 and higher
Notifications when an Event is Set to On.	Sets the device to display notifications when a device control event is applied. User Defined — Users can set event notifications on the device from the Settings menu of Knox Manage agent. Show notification — Displays the notification when an event for device control is applied. Hide notifications — Hides the notification when an event for device control is applied.	Samsung Knox 1.0 and higher, Android 1 and higher
Notifications when an Event is Set to Off.	Sets the device to display the notifications when an event for device control is disengaged. User Defined — Users can set event notifications on the device from the Settings menu of Knox Manage agent. Show notification — Displays a notification when an event for device control is disengaged. Hide notifications — Hides a notification when an event for device control is disengaged.	Samsung Knox 1.0 and higher, Android 1 and higher
Fix Event Notification	Set the removal of the notification from the device Quick panel. User Defined — Users can remove notification on the device from the settings menu of Knox Manage agent. Disallow to Remove Notification — Users cannot remove notifications on the device Quick Panel. Allow to Remove Notification — Users can remove notifications on the device Quick Panel.	Samsung Knox 1.0 and higher, Android 1 and higher
Power Saving Mode Control	Allows power saving control on the device.	Samsung Knox 2.8 and higher
Firmware download mode control	Allows using the hardware key on the device to update firmware. Disallow — Disallows updating firmware with the hardware key and performing a factory reset.	Samsung Knox 2.0 and higher
Samsung Keyboard settings control	Allows accessing the settings key from the Samsung keyboard.	Samsung Knox 2.0 and higher
Data Saver Mode	Allows the device to use the data saver mode automatically.	Samsung Knox 3.0 and higher

Connectivity

Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.

Policy	Description	Supported system
Wi-Fi	Allows using Wi-Fi. If the Wi-Fi policy is not applied successfully, the device tries to apply it again 30 minutes later after Knox Manage is activated. Allow — Allows using Wi-Fi. Disable On — Disallows turning on Wi-Fi. It is turned off at all times. Disable Off — Disallows turning off Wi-Fi. It is turned on at all times.	Samsung Knox 1.0 and higher, Android 1 and higher
> Wi-Fi Direct	Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection. Set the Wi-Fi policy to Allow or Disable Off before using this policy. Depending on the device type, the direct connection of the two devices may cause the function or the menu to get controlled.	Samsung Knox 1.0 and higher
Wi-Fi hotspot	Allows use of the Wi-Fi hotspot.	Samsung Knox 1.0 and higher, Android 2.3 and higher
Wi-Fi SSID allowlist setting	Allows using the Wi-Fi SSID allowlist. Devices can only connect to the Wi-Fi APs on the allowlist. For non-Samsung devices with Android 8 or a higher version, this policy can only be applied the device user agrees to grant access to location information.	Samsung Knox 1.0 and higher, Android 1 and higher
> Wi-Fi SSID allowlist	Add Wi-Fi APs to the allowlist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile. To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add. To add all Wi-Fi APs, click Add all to access the Wi-Fi list. To delete a Wi-Fi AP, select a Wi-Fi SSID and click .	Android 1 (SDK1) and higher Samsung Knox 1.0 and higher
Wi-Fi SSID Blocklist Setting	Allows using the Wi-Fi SSID blocklist. Devices cannot connect to Wi-Fi APs on the blocklist. For non-Samsung devices with Android 8 or a higher version, this policy can only be applied when the device user agrees to grant access to location information.
> Wi-Fi SSID Blocklist	Add Wi-Fi APs to the blocklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile. To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add. To add all Wi-Fi APs, click Add all to access the Wi-Fi list. To delete a Wi-Fi AP, select a Wi-Fi SSID and click .	Samsung Knox 1.0 and higher, Android 1 and higher
Wi-Fi auto connection	Allows automatic connection to Wi-Fi SSID already stored in the device.	Samsung Knox 1.0 and higher
Wi-Fi minimum security level setting	Set a minimum security level for Wi-Fi. The security level increases in the following ascending order: OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA'	Samsung Knox 1.0 and higher
Wi-Fi Proxy Setting	Block a device's Wi-Fi proxy information from showing on the device. When this policy is set, device users cannot see the proxy menu under device settings > Wi-Fi. Currently, this feature is only available for Galaxy Tab A (SM-T585) devices, running the latest firmware version. N/A — No settings Allow — Allow users to configure Wi-Fi proxy with the device Disallow — Disallow users from configuring Wi-Fi proxy with the device.	Samsung Knox 3.0
Bluetooth	Allows using Bluetooth. Allow — Allows using Bluetooth. Disable On — Disallows turning on Bluetooth. It is turned off at all times. Disable Off — Disallows turning off Bluetooth. It is turned on at all times.	Samsung Knox 1.0 and higher, Android 1 and higher
> Desktop PC connection	Allows Desktop PC connections with the user's device using Bluetooth.	Samsung Knox 1.0 and higher
> Data transfer	Allows data exchanges with other devices using Bluetooth connection.	Samsung Knox 1.0 and higher
> Search mode	Allows device search using Bluetooth.	Samsung Knox 1.0 and higher
> Bluetooth tethering	Allows Bluetooth tethering to share the internet connection with another device.	Samsung Knox 1.0 and higher, Android 4.2 and higher
Bluetooth UUID Block/Allowlist	Select a method to connect Bluetooth devices based on their Universal Unique Identifier (UUID). Blocklist configuration — Set a device to block Bluetooth connections from certain devices. Allowlist configuration — Set a device to allow Bluetooth connections to certain devices.
> Bluetooth UUID blocklist	Select devices to block Bluetooth connections with. Click the check boxes for Audio, File transfer, Phonebook, Headsets, or Hands-free. When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.	Samsung Knox 1.0 and higher
> Bluetooth UUID allowlist	Select devices to allow Bluetooth connections with. Click the check boxes for Audio, File transfer, Phonebook, Headsets, or Hands-free. When updating the policy, the current Bluetooth connection gets disconnected. Users must reconnect.	Samsung Knox 1.0 and higher
NFC control	Allows NFC (Near Field Communication) control. Samsung Knox 2.4 and higher is supported for Knox Workspace devices. Android 10 and higher devices are not supported.	Samsung Knox 1.0 and higher
PC connection	Allows connecting user's device to their computer.	Samsung Knox 1.0 and higher, Android 1 and higher
USB tethering	Allows USB tethering.	Samsung Knox 1.0 and higher, Android 1 and higher
USB host storage (OTG)	Allows a device connection using OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse. To use DeX when the USB host storage (OTG) policy is disallowed, enable DeX in the Set USB exception allowed list policy. Then configure the Allow DeX mode policy to Allow.	Samsung Knox 1.0 and higher
> Set usb exception allowed list	Specify the use for the exception allowed list once the USB host storage (OTG) policy is disallowed.	Samsung Knox 3.0 and higher
> USB exception allowed list	Select the USB interface to use if the USB host storage (OTG) policy is disallowed.	Samsung Knox 3.0 and higher
USB debugging	Allows USB debugging.	Samsung Knox 1.0 and higher
Microphone	Allows use of the microphone.	Samsung Knox 1.0 and higher, Android 1 and higher
> Recording	Allows the use of microphone recording.	Samsung Knox 1.0 and higher
> S Voice	Allows the use of S Voice.	Samsung Knox 1.0 and higher
GPS	Allows using GPS. Allow — Allows using GPS. Disable On — Disallows turning on GPS. It is turned off at all times. Disable Off — Disallows turning off GPS. It is turned on at all times. Consider the following: To use this policy, the GPS type on the user device must be set as one of the three types: High accuracy, Sleep, or GPS. Devices running Android 10 and higher are not supported.	Samsung Knox 1.0 and higher
Wearable equipment policy inheritance	Set to use the existing Mobile policy for the Gear policy.	Samsung Knox 2.6 and higher

Security

Configures the security settings, such as the password and lock screen.

Policy	Description	Supported system
Device Password	Set the password for the device screen lock. Use of the camera is prohibited when the device is screen locked. Consider the following: When a user has forgotten their screen lock password, an administrator needs to send the Reset screen password device command, and then the user needs to enter a temporary password. A temporary password is generated randomly according to the set Device Password policies. For more information, see the screen lock password in View details of a device. For Knox Workspace devices with a One Lock password, the stronger password policy out of the Android Legacy and Knox Workspace policies is applied.
Secure Startup	Allow or disallow users from setting the Secure Startup feature on devices. When Secure Startup is set and the user enters the wrong password 30 times, the device is factory reset even if you have restricted factory resets through a policy. To avoid this situation, set this policy to Disallow. This condition is applicable to devices running an OS earlier than Android P.
Lock screen	Set to allow or disallow the user to change Lock Screen setting.	Samsung Knox 3.0 and higher
> Minimum strength	Set the minimum password strength on the screen. The password strength increases in the following ascending order: Pattern < Numeric < Must be alphanumeric < Must include special characters. Pattern — Set the password using a pattern or a password with a higher degree of complexity. Numeric — Set the password using numbers or a password with a higher degree of complexity. Alphanumeric — Set the password using alphanumeric characters or a password with a higher degree of complexity. Complex — Set it so that the passwords must include alphanumeric and special characters.	Samsung Knox 2.0 and higher, Android 2.2 and higher
>> Maximum Failed Login Attempts	Set the maximum number of incorrect password attempts before access is restricted. The value can be between 1 - 10 times. You can set this value only when type of password is set to Numeric, Alphanumeric, or Complex.	Samsung Knox 2.0 and higher, Android 2.2 and higher
>>> If maximum failed login attempts exceeded	Select the action to be performed when the maximum number of failed attempts is reached. Knox Workspace devices support Samsung Knox 1.0 and higher. Lock device — Locks the device. Android 10 and higher devices are not supported. Factory reset + Initialize SD card — Simultaneously resets the user device and the SD card. Factory reset — Resets the user device but not the SD card.	Samsung Knox 2.0 and higher, Android 2.2 and higher
>> Minimum length	Set the minimum length of the password. The value can be between 4 - 16 characters. Minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.	Samsung Knox 2.0 and higher, Android 2.2 and higher
>> Expiration after (days)	Set the maximum number of days before the password must be reset. The value can be between 0 - 365 days. Samsung Knox 2.0 and higher is supported for Knox Workspace devices.	Samsung Knox 1.0 and higher, Android 3 and higher
>> Manage password history (times)	Set the minimum number of new passwords that the user must use before they can reuse the previous password. The value can be between 0 - 10 times. If the password is Knox123! and the minimum value is set to 10, the user must use ten other passwords before reusing Knox123! as password.	Samsung Knox 1.0 and higher, Android 3 and higher
>> Screen Lock Timeout (min)	Set the duration for locking the device when the user has not set up a password for the screen lock. The value can be between 0 - 60 minutes.	Samsung Knox 1.0 and higher
>> Maximum length of sequential numbers	Set the maximum number of consecutive numeric characters allowed in a password. The value can be between 1 - 10 words.	Samsung Knox 1.0 and higher
>> Maximum length of sequential characters	Set the number of consecutive letters allowed in a password. The value can be between 1 - 10 words.	Samsung Knox 1.0 and higher
>> Block function setting on lock screen	Allows blocking functions on the lock screen. Consider the following: The visibility of the notifications on the lock screen depends on the options you set in the application. Samsung Knox 2.4 - 2.9 is supported for Knox Workspace devices.	Android 5 and higher
>>> Block functions on lock screen	Select the function to be blocked on the lock screen when a password policy is set on a device. All — Blocks all functions on the lock screen. Camera — Blocks direct camera control on lock screen. Trust Agent — Blocks the Smart Lock function which automatically unlocks the screen in certain conditions, such as during a certain physical activity, at a specific location, or when devices are added. Fingerprint — Blocks the fingerprint unlock function. Previews in pop-ups — Displays notifications on the lock screen but hides private content set in the application. Notifications — All notifications are hidden using the lock screen. You can only implement this policy when the password level is set to pattern and higher.
> Maximum screen timeout	Set the maximum time limit that a user can linger before screen timeout.	Samsung Knox 2.0 and higher, Android 2.2 and higher
Connection attempt between server and device	Allows Knox Manage to retry connecting according to the value that you specified when the device is disconnected from Knox Manage. If not specified, communication is reattempted twice every 15 minutes.
> Communication retry count	Set a retry count when a device is disconnected from Knox Manage and Knox Manage retries connecting to the device in 1 minute intervals. If the device is disconnected continuously despite retrying on the specified count, Knox Manage retries connections according to the Communication retry interval (min) below. The value can be between 1 - 60 times.	Android 1 (SDK 1) and higher
> Communication retry interval (min)	Set a retry interval for when a device is disconnected from Knox Manage. If Knox Manage receives the event that the device is available, the server tries to reconnect immediately despite the waiting time. The value can be between 1 to 60 minutes.	Android 1 (SDK 1) and higher
Smartcard Browser Authentication	Allows Smartcard Browser Authentication within the internet browser. When the policy is allowed, the Bluetooth security mode is applied while the device is connected to the smart card reader and the device does not accept other Bluetooth connections. Consider the following: To use this policy, Bluetooth smart card-related applications must be installed on the device and the smartcard must be registered in the Settings menu of the device. Android 10 and higher devices are not supported.	Samsung Knox 1.0 and higher
Certificate deletion	Prevents users from deleting the certificate in the Settings menu of the device.	Samsung Knox 1.0 and higher
Certificate verification during installation	Set the system to validate the certificate during installation. If the certificate fails validation, it cannot be installed.	Samsung Knox 1.0 and higher
Attestation	Communicates with the attestation server to determine whether the user's device is forged. If no option is selected, attestation is not processed.	Samsung Knox 1.0.1 and higher
> Action when verification fails	Set the measure for when forgery of the device firmware is detected. If detected, the creation of a new Knox Workspace and the use of the existing Knox Workspace are prohibited. Lock Knox Workspace — Locks the Knox Workspace. Delete Knox Workspace — Deletes the Knox Workspace. Lock device — Locks the device. <p>Android 10 and higher devices are not supported. </p> </div> </div> <li><strong>Factory reset + Initialization SD Card</strong> — Simultaneously factory resets the user's device and the SD card.</li> <li><strong>Factory reset</strong> — Resets the user device but not the SD card.</li> </ul> </td> <td>Samsung Knox 1.0.1 and higher</td> </tr> <tr> <td id="security-google-android-security-update-policy">Google Android security update Policy</td> <td> <p>Allows the user to select whether to receive updates on the device.</p> <p><strong>Forced use</strong> — Set to receive security updates by default.</p> </td> <td>Samsung Knox 2.6 and higher</td> </tr>

Kiosk

Configures Kiosk applications on a Kiosk device and controls the device settings.

Policy	Description	Supported system
Kiosk app settings	Select a Kiosk feature to use on a device. Single App Mode — Runs a single application on the device's home screen. Multi App Mode — Runs multiple applications that are developed using the Kiosk Wizard. Web Mode — Opens webpages that are specified by the administrator. Consider the following: To use the Web Mode, the Kiosk Browser application must be registered as a Knox Manage application. For more details, contact the TMS administrator. Kiosks are not available with non-Samsung Android Legacy devices.	Samsung Knox 1.0 and higher
> Set application	Click Select and select a single Kiosk application from the list. Alternatively, click Add and manually add applications. For more information about adding single applications, see Create a kiosk using the Kiosk Wizard.	Samsung Knox 1.0 and higher
> Set application	Click Select and select multiple Kiosk applications from the list. Alternatively, click New and create a MultiApp Kiosk using the Kiosk Wizard. To learn how to use the Kiosk Wizard, see Exploring Kiosk Wizard.	Samsung Knox 1.0 and higher
> Set Kiosk Browser	When setting up the Kiosk Browser, the package name of the application registered as the Kiosk Browser is automatically selected.
> Default URL	Set the default page URL to call in the Kiosk Browser.
App Auto Update	Set the Kiosk Browser to receive automatic app updates.
> Screen Saver	Use the screen saver for the Multi App Kiosk and the Kiosk Browser. When no user activity is sensed for a certain amount of time, as set in the Auto Screen Off or Session Timeout settings on the device, the registered images or video files are shown on the device display. The Screen Saver only runs while the device is charging. The Screen Saver for the Kiosk Browser only runs while the device is connected to a power source.
>> Screen Saver Type	Select either an image or video type screensaver.
>>> Image	Select image files for the screen saver. You can add up to 10 image files in PNG, JPG, JPEG, or GIF formats (animated files are not supported). Each image file must be less than 5 MB. To upload an image file, click Add and select a file. To delete an image file, click next to the name of the uploaded image file. The device control command must be transferred to the device to apply an image file to it.
>>> Video	Select a video file for the screen saver. You can add only one video file in the MP4 or MKV format. The video file must be less than 50 MB. To upload a video file, click Add and select a file. To delete a video file, click next to the name of the uploaded video file. The device control command must be transferred to the device to apply a video to it.
> Session timeout	Allows the use of the session timeout feature for the Kiosk Browser. If the user does not use the device for a set time, the device deletes user information, such as the cache and cookies, in the device Kiosk Browser and goes to the main page URL. Apply — Enable the session timeout feature for the browser.
>> Time (sec)	Set the session timeout in seconds for the Kiosk Browser. The value must be between 10 - 3600 seconds. The default value is 1800 seconds.
> Text Copy	Allows the copying of text strings in the Kiosk Browser.
> Javascript	Allows the running of the JavaScript contained in websites.
> Http Proxy	Allows the use of an HTTP proxy for communications in the Kiosk Browser.
>> IP/Domain:Port	Set the HTTP proxy server IP or domain address, and Port. When not entered, the Port number is automatically set to 80.
> User agent settings key value	Set the key value to be added to the user agent. Allow the Kiosk Browser to access the Web server and the user agent key values contained in the HTTP header. User agent key settings can be used to detect access to non-Kiosk Browsers on the web server.
> File Upload	Allows the user to upload files to websites through the Kiosk Browser. Disallow is the default value.
Delete Kiosk app when policy is removed	Allows deleting applications along with policies from the device when the applied policy is deleted.	Samsung Knox 1.0 and higher
Task manager	Allows the use of the Task Manager. You can use the function to disable the hardware key on SDK 2.5 or later.	Samsung Knox 1.0–2.4 and higher
System bar	Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom. For non-Samsung devices, irrespective of whether you select Allow status bar only or Allow navigation bar only, both the status bar and the navigation bar are disabled.	Samsung Knox 1.0 and higher
Prohibit hardware key	Allows the use of the hardware keys.	Samsung Knox 1.0 and higher
> Disallow hardware keys	Select hardware keys to disable. The availability of Hardware keys can vary by device. If you do not allow the use of the Task Manager, then it does not run, even if the user tries to activate it by tapping the left menu key in the Navigation bar at the bottom of the device.	Samsung Knox 1.0 and higher
Multi windows	Allows the use of multiple windows. This feature is available for devices that provide the functionality of multiple windows.	Samsung Knox 1.0 and higher
Air command	Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items show on the screen appear when the user brings an S pen close to the screen.	Samsung Knox 2.2 and higher
Air view	Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content.	Samsung Knox 2.2 and higher
Edge screen	Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera.	Samsung Knox 2.5 and higher

App Restrictions

Configures options for application controls such as installation, verification, and permission.

Policy	Description	Supported system
Installation of application from untrusted sources	Allows the installation of applications from untrusted sources instead of just the Google Play Store. Android 8 and higher is supported for Knox Workspace devices.	Samsung Knox 1.0 and higher
Play Store	Allows the use of the Google Play Store.	Samsung Knox 1.0 and higher
YouTube	Allows the use of YouTube.	Samsung Knox 1.0 and higher
App Installation Block/Allowlist Setting	Set to control the app installation policies. If no apps are added to the Application installation blocklist and the Application installation allowlist, then no other apps except the Knox Manage agent are installed or run.
> App installation blocklist	Add apps to prohibit their installation. To add an app, click Add, and then select apps in the Select Application window. To add all apps, click Add all. To delete an app, click next to the added app. If a control app registered with a wildcard () in the package name is added to this policy, the specific package is not installed. For example, com..emm / com.sds.* / com..emm. Blocked apps cannot be installed and are deleted even if they were previously installed. You cannot add an app that is on the on the Application installation allowlist to the blocklist.	Samsung Knox 1.0 and higher
> App installation allowlist	Add apps to allow their installation. To add an app, click Add, and then select apps in the Select Application window. To add all apps, click Add all. To delete an app, click next to the added app. If a control apps registered with a wildcard () in the package name is added to this policy, the specific package is not installed. For example, com..emm / com.sds.* / com..emm. Any apps not on the allowlist are deleted, even if they are not on the blocklist. You cannot add an app that is on the Application installation blocklist to the allowlist. Samsung Knox 2.0 and higher is supported for Knox Workspace devices.	Samsung Knox 1.0 and higher
App execution Block/Allowlist Setting	Set to control the app execution policies. If the policy changes or Knox Manage is unenrolled, hidden apps reappear. Android 8 (Oreo) or below is supported for non-Samsung devices.
> App execution blocklist	Add apps to prevent their execution. Icon of the blocked app disappears and users cannot run the app. To add an app, click Add, and then select apps in the Select Application window. To delete an app, click next to the added app.	Samsung Knox 1.0 and higher, Android 2.2 and higher
> App execution allowlist	Add apps to allow their execution. Icons of apps that are not on the allowlist disappear automatically. Knox Manage and the preloaded apps are automatically registered on the allowlist. To add an app, click Add, and then select apps in the Select Application window. To delete an app, click next to the added app. You cannot add app that was added to the Application installation allowlist to the blocklist.	Samsung Knox 1.0 and higher, Android 2.2 and higher
App force stop prohibition list setting	Set to prohibit apps from force stop.
> App force stop blocklist	Add apps to prohibit from force stop.	Samsung Knox 1.0 and higher
App execution prevention list setting	Allows app installation but prevents app execution.
> App execution prevention list	Add apps to be displayed but not executable. Listed apps can be installed and the icons are shown on the screen, but they are not allowed to run. To add an app, click Add, and then select apps in the Select Application window. To delete an app, click next to the added app. You cannot add an app that is on the Application installation blocklist to the allowlist.	Samsung Knox 2.0 and higher
App uninstallation prevention list Settings	Set to control the app uninstallation policies.
> App uninstallation prevention list	Add apps to prevent their uninstallation. To add an app, click Add, and then select apps in the Select Application window. To delete an app, click next to the added app.	Samsung Knox 1.0 and higher
Action when apps are compromised	Select from one of the following actions to take if an internal or a kiosk application is compromised: Disallow running — Prohibits the application's execution. Uninstall — Deletes an application. Lock device — Locks the user's device. <p>Android 10 and higher devices are not supported.</p> </div> </div> <li><strong>Notify Alert</strong> — The compromised status of the device is reported on the <strong>Dashboard</strong>.</li> <li><strong>Factory reset + Initialize SD card</strong> — Simultaneously resets a user device and the SD card.</li> <li><strong>Factory reset</strong> — Resets the user device but not the SD card.</li> </ul> <div class="notice-note"> <p>Actions such as lock device, factory reset, and the notify alert are applied but only for general Android devices and not for Samsung Galaxy and LG Electronic devices.</p> </div> </td> <td>Samsung Knox 1.0 and higher</td> </tr> <tr> <td id="application-battery-optimization-exceptions">Battery optimization exceptions</td> <td> <p>Set to exempt applications from the battery optimization function. This policy may cause battery loss.</p> <div class="notice-note"> <p>This policy is for devices running Android (Nougat) or later.</p> </div> </td> <td></td> </tr> <tr> <td id="application-app-excluded-battery-optimization">> Apps excluded battery optimization</td> <td>Add applications to exempt them from the battery optimization function.</td> <td>Samsung Knox 2.7 and higher</td> </tr>

Location

Allows the use of GPS or collecting location data from a device.

Policy	Description	Supported system
Report device location	Allows collection of location data. User consent — Allows location data collection only with the user's consent. When this policy is set to User consent, location data can only be collected after the user allows collection of device location data in the permission pop-up. The Report device location policy has a higher priority than the GPS policy or the locate the current position device command. For devices running Android 10 and higher, this policy is supported only when the GPS is enabled in the device settings.	Samsung Knox 1.0 and higher, Android 2.3 and higher
> Report device location interval	Set an interval period to save the location data of the device. To set the collection interval, select either Allow or User Consent for the Report device location policy.	Samsung Knox 1.0 and higher, Android 2.3 and higher
High Accuracy Mode	Set to use for collecting accurate GPS locations of the devices.	Samsung Knox 1.0 and higher, Android 2.3 and higher

Policy

Description

Supported system

Report device location

Allows collection of location data.

User consent — Allows location data collection only with the user's consent.

When this policy is set to User consent, location data can only be collected after the user allows collection of device location data in the permission pop-up. The Report device location policy has a higher priority than the GPS policy or the locate the current position device command.
For devices running Android 10 and higher, this policy is supported only when the GPS is enabled in the device settings.

Samsung Knox 1.0 and higher, Android 2.3 and higher

> Report device location interval

Set an interval period to save the location data of the device.

To set the collection interval, select either Allow or User Consent for the Report device location policy.

Samsung Knox 1.0 and higher, Android 2.3 and higher

High Accuracy Mode

Set to use for collecting accurate GPS locations of the devices.

Samsung Knox 1.0 and higher, Android 2.3 and higher

Browser

Allows the use of the default web browser and configures the settings for it.

Browsers must restart before the changes are applied.

Policy	Description	Supported system
Android browser	Allows using the Android browser. The disallowed setting or blocklist setting takes priority over others. If the disallowed setting is configured in any of the Android browser or the application blocklist policies, the Samsung Internet browser is launched.	Samsung Knox 1.0 and higher
> Cookies	Allows cookies in the Android browser. If cookies are not allowed, you cannot access websites that authenticate users with cookies.	Samsung Knox 1.0 and higher
> JavaScript	Allows JavaScript in the Android browser.	Samsung Knox 1.0 and higher
> Autofill	Allows auto-completion of information that you enter on websites in the Android browser.	Samsung Knox 1.0 and higher
> Pop-up block	Allows blocking pop-ups in the Android browser.	Samsung Knox 1.0 and higher
Browser proxy URL	Set the proxy server address for the Android browser in the general area. Enter the value in the form of IP:port or domain:port in the fields. The Chrome browser and Samsung S browser are supported. The supported version for Chrome is Knox 4.0.1 - 5.6.	Samsung Knox 1.0.1 and higher

Phone

Configures the phone settings, such as airplane mode, the microphone, and the cellular network settings.

Policy	Description	Supported system
Airplane mode	Allows the use of airplane mode.	Samsung Knox 2.0 and higher
Cellular data connection	Allows the use of a cellular data connection. This policy is applied after internal applications that have been set as Automatic (Non-removable) are installed. If the cellular data connection policy is not applied successfully, the device tries again to apply this policy 30 minutes later after Knox Manage is activated.	Samsung Knox 1.0 and higher
Prohibit voice call	Prohibits incoming and outgoing voice calls.	Samsung Knox 1.0 and higher
> Voice call	Specifies the types of voice call to block: Incoming — Blocks incoming voice calls only. Outgoing — Blocks outgoing voice calls only If both are selected, only emergency calls can be received or made.
> Incoming Call Blocklist	Add phone numbers to the blocklist to block incoming voice calls. To add a phone number, enter it in the field and click . To delete a phone number, click next to it.
> Outgoing Call Blocklist	Add phone numbers to the blocklist to block outgoing voice calls. To add a phone number, enter it in the field and click . To delete a phone number, click next to it.
Data usage limit	Allows the limiting of data usage.	Samsung Knox 1.0 and higher
Data usage restrictions	Limits the maximum data usage for user devices. If data usage exceeds the limit set on a device, data use is no longer available. To get precise information on the amount of usage, changing the date and time must not be allowed.	Samsung Knox 1.0 and higher
> Maximum usage	Set the maximum data amount for user devices for 1 day, 1 week, or 1 month. Daily usage is calculated at 12:00 PM each day, weekly usage on Sundays, and monthly usage on the first day of each month. When the maximum data amount is reached, the data network connectivity is blocked. But if the user allows the data network, the data usage of the user device is reset.
Data connection during roaming	Allows data connection when roaming.	Samsung Knox 1.0 and higher
WAP push during roaming	Allows WAP push communication while using roaming.	Samsung Knox 1.0 and higher
Data sync during roaming	Allows data synchronization while roaming.	Samsung Knox 1.0 and higher
Voice calls during roaming	Allows voice calls while roaming.	Samsung Knox 1.0 and higher
Disallow SMS and MMS	Prohibits sending and receiving SMS or MMS messages.	Samsung Knox 1.0 and higher
> Disallow Incoming and Outgoing SMS and MMS	Specifies the types of SMS and MMS messages to block. At least one of the types should be selected.
> Incoming SMS Blocklist	Add phone numbers to the blocklist to block incoming SMS/MMS messages. To add a phone number, enter it in the field and click . To delete a phone number, click next to it.
> Outgoing SMS Blocklist	Add phone numbers to the blocklist to block outgoing SMS/MMS messages. To add a phone number, enter it in the field and click . To delete a phone number, click next to it.
Set app voice recording allowlist	Allows recording phone conversations. If unspecified, voice recording is not allowed.	Samsung Knox 3.0 and higher
> App voice recording allowlist	Add applications that are allowed to record phone conversations to the allowlist. The registered voice recording applications cannot be deleted after being activated. To remove the registered applications, you must factory reset the device. If the registered voice recording applications are activated on a device, the device USB connection is blocked.	Samsung Knox 3.0 and higher

Firewall

Configures the IP or a domain firewall policy for each application.

The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same address, a separate configuration is required.

If there are multiple firewalls, restricted firewalls have a higher priority.
If a firewall is configured to all applications as well as in specific applications, the policy for each application has a higher priority.

Policy	Description	Supported system
Firewall	Set to use the firewall to set target IP addresses. The firewall policy is enabled by default. Samsung Knox 1.0 - 2.4.1 is supported for Knox Workspace devices.	Samsung Knox 1.0 - 2.4.1
> Permitted Policy (IP)	Input values to permit the target IP and port address. Configure the following: Enter or click Add to search the Package Name of the application. Input the IP Address (range) and Port (range). Select the Network Type: All Data — Only mobile network access is enabled. Wi-Fi — Only Wi-Fi network access is enabled. Select Port Range: All Local — Port access from the device is enabled. Remote — Port access from the target server is enabled. Click to add. Before setting this policy, disable all IPs by entering a wildcard character () to the Prohibited policy (IP)* ranges. Samsung Knox 2.5 is supported for Knox Workspace devices.
> Prohibited Policy (IP)	Input values to permit the target IP and port address. Configure the following: Enter or click Add to search the Package Name of the application. Input the IP Address (range) and Port (range). Select the Network Type: All Data — Only mobile network access is enabled. Wi-Fi — Only Wi-Fi network access is enabled. Select Port Range: All Local — Port access from the device is enabled. Remote — Port access from the target server is enabled. Click to add. Before setting this policy, disable all IPs by entering a wildcard character () to the Prohibited policy (IP)* ranges. Samsung Knox 2.5 is supported for Knox Workspace devices.	Samsung Knox 2.5 and higher
> Permitted Policy (Domain)	Input values to permit the target domain address. Enter or click Add to search the Package Name of the application. Input the IP Address (range) and Port (range). Before setting this policy, disable all domains by entering a wildcard character () to the Prohibited policy (Domain)* ranges. Use a wildcard character () to allow the use of a specific domain. The character must be placed before or after the domain name. For example, android.com / www.samsung* Samsung Knox 2.6 is supported for Knox Workspace devices.	Samsung Knox 2.6 and higher
> Prohibited policy (Domain)	Input values to disable the target domain address. Enter or click Add to search the Package Name of the application. Input the IP Address (range) and Port (range). Use a wildcard character (*) to disable a specific domain. Samsung Knox 2.6 is supported for Knox Workspace devices.	Samsung Knox 2.6 and higher
> DNS setting	Input values to specify the domain server address of all applications or registered applications. Enter or click Add to search the Package Name of the application. Input DNS values. DNS1 — Primary DNS. DNS2 — Secondary DNS. Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.	Samsung Knox 2.7 and higher

Logging

Allows performing logging and configuring the settings.

Policy	Description	Supported system
Save logs	Set to enable the save logs feature. Enable — Set to perform logging. This is the default value. Disable — Cannot record device logs. If this policy is not specified, the Knox Manage performs logging with the DEBUG level.	Samsung Knox 1.0 and higher, Android 1 and higher
> Log level	Select a log level. DEBUG — Logs detailed device information for the developers. INFO — Logs device information for the administrators. WARNING — Logs information that are not errors, but the ones that require special attention for the administrators. ERROR — Logs error information. FATAL — Logs critical error information, such as system interruption.	Samsung Knox 1.0 and higher, Android 1 and higher
> Maximum log size (MB)	Enter value for the maximum log size. The value can be between 1 - 20 MB.	Samsung Knox 1.0 and higher, Android 1 and higher
> Maximum days for storage (day)	Enter value for the maximum days for log storage. The value can be between 1–30 MB.	Samsung Knox 1.0 and higher, Android 1 and higher

DeX

Allows the use of DeX mode, an interface to use a mobile device like a desktop.

Samsung DeX is an accessory that extends the functionality of a mobile device. By connecting a monitor, keyboard, and mouse to a DeX docking station, the mobile device can function as a desktop computer.

In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blocklist setting.

Policy	Description	Supported system
DeX mode	Allows the use of DeX mode. Disallow — The DeX station does not function even if a mobile device is mounted on it.	Samsung Knox 3.0 and higher
Ethernet only	Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked.	Samsung Knox 3.0 and higher
Application execution blocklist(Android)	Use the blocklist for running DeX applications.	Samsung Knox 3.0 and higher
> Application execution blocklist	Prohibits launching the specified applications. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application. Any applications that already have been added to the Application allowlist cannot be added to the Application blocklist. When this policy is enabled and applied, the icons of the blocked applications disappear so that users cannot launch them. However, the applications are not deleted. The icons reappear once the policy is changed or Knox Manage is disabled.

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

Click add to add a configuration.

You can add or edit up to 50 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each Wi-Fi setting.
Description	Enter a description for each Wi-Fi setting.
Network Name (SSID)	Enter an identifier of a wireless router to connect to. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Remove available	Allows users to delete the Wi-Fi settings.
Security type	Specifies the access protocol used and whether certificates are required.
> WEP	Set a WEP KEY from WEP KEY 1 to 4.
> WPA/WPA2-PSK	Enter a password.
> 802.1xEAP	Configure the following items: EAP Method — Select an authentication protocol from among PEAP, TLS, and TTLS. 2-step authentication — Select one from PAP, MSCHAP, MSCHAPV2, or GTC as a secondary authentication method. This is available when EAP Method is set to TTLS or TLS. User information input method — Select an input method for entering user information. Manual Input — Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. Connector interworking — Choose a connector from the User Information Connector. User Information — Use the user information registered in Knox Manage to access Wi-Fi. User certificate input method — Select a user certificate confirmation method. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates. CA certificate — Select a root certificate. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Wi-Fi and the Type set as Root are included on the list.
Proxy configuration	Select a proxy server configuration method. You can use the server to route through the proxy server when the device is connected to Wi-Fi.
> Manual	Configure the proxy server manually. Proxy host name — Enter the host name of the IP address of the proxy server Proxy port — Enter the port number used by the proxy server Proxy exception — Enter the IP address or domain address that cannot be accessed through the proxy server. Server authentication — If server authentication is required to use the proxy server, check this box. User name — Enter the username for the proxy server. Password — Enter the password for the proxy server.
> Proxy automatic configuration	Configure the proxy server automatically. You should enter a PAC web address in the PAC web address field, the URL of the PAC file that automatically determines which proxy server to use.

Exchange

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

You can add more Exchange policy sets by clicking add .

Policy	Description
Configuration ID	Assign a unique ID for each exchange setting.
Description	Enter a description for each exchange setting.
Remove available	Allows users to delete the exchange settings.
Office 365	Allows to configure the Exchange settings by automatically filling out the Exchange server address and the SSL option as Use.
User information input method	Select an input method for entering user information.
> Manual Input	Select to manually enter the email address, account ID, and password of a user. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
> Connector interworking	Select to choose a connector from the User Information Connector list. All the connectors are listed in Advanced > System Integration > Directory Connector.
> User Information	Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user's device.
Domain	Enter a domain address for the exchange server. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Exchange server address	Enter the exchange server information such as IP address, host name or URL. If Office365 is selected, outlook.office365.com is automatically entered.
Sync measure for the early data	Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the email application settings.
User certificate input method	Select an input method for entering certificate information.
> EMM Management Certificate	Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. User Certificate — Select a certificate to use from the User Certificate list.
> Connector interworking	Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. User certificate Connector — Select a connector to use from the User certificate Connector list.
> Issuing external CA	Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates. Issuing external CA — Select an external CA to use from the Issuing external CA list.
Sync calendar	Syncs schedules on a calendar from an Exchange server or a mail server to a device.
Sync contacts	Syncs contact information in a phone book from a server to a device.
Sync task	Syncs tasks items from a server to a device.
Sync notes	Syncs notes from a server to a device.
SSL	Set to use SSL for email encryption. If Office365 is selected, the SSL option is automatically set to Use.
Signature	Enter the email signature to use.
Notification	Notifies the user of new emails.
Always vibrate on notification	Notifies the user of new emails with a vibration.
Silent notification	Mutes email notifications. Always vibrate on notification and Silent notification cannot be used at the same time.
Attachment capacity (byte)	Enter the email attachment file size limit in bytes. The input value ranges from 1 to 52428800 (50MB).
Maximum Size of Email Body (Kbyte)	Select a maximum value for the email body size. This value is only set once during the initial Exchange ActiveSync setup.
> Default Size of Email Body (Kbyte)	Select the default value for the email body size. This value is only set once during the initial Exchange ActiveSync setup.

Email Account

Configures the settings of a POP or IMAP email account.

Click add to add a configuration.

You can add or edit up to 50 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each email account setting.
Description	Enter a description for each email account setting.
Remove available	Allows users to delete the email account settings.
Default Account	Specifies to use the default account.
User information Input Method	Select an input method for entering user information.
> Manual Input	Select to manually enter the email address, server ID and password of a user. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
> Connector interworking	Select a connector from the user information connector list. The connectors are listed in Advanced > System Integration > Directory Connector.
> User information	Select to access the relevant mail server using the registered Knox Manage email, ID, and password. You must enter the password from the user's device.
Incoming Server Protocol	Select between the POP3 (pop3) and IMAP (imap) protocol.
Outgoing Server Protocol	Entered automatically as SMTP.
Incoming Server Address/port	Enter the Incoming Server address/port in a provided format.
Outgoing Server Address/port	Enter the outgoing server address/port and port in a provided format.
Incoming Server ID	Enter an incoming server ID to sign in to the incoming mail server manually. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. This protocol is only available when Manual Input is selected.
Outgoing Server ID	Enter an outgoing server ID to manually sign in to the outgoing mail server. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. This protocol is only available when Manual Input is selected.
Incoming Server Password	Enter an incoming server password to manually sign in to the incoming mail server. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. This protocol is only available when Manual Input is selected.
Outgoing Server Password	Enter an outgoing server password to manually sign in to the outgoing mail server You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. This protocol is only available when Manual Input is selected.
Incoming SSL	Select to use SSL for encryption.
Outgoing SSL	Select to use SSL for encryption.
Notification	Select an email notification method. Enable Notification — Activates email notification. Enable 'Always notify by vibrate mode' — Notifies the user of new emails with a vibration. Disable Notification — Deactivates email notification.
All incoming certificates	Allows receiving certificates.
All outgoing certificates	Allows sending certificates.
Signature	Enter an email signature to use.
Account Name	Assign an account name.
Sender Name	Assign a sender name.

Bookmark

Configures the bookmark settings, such as the configuration ID and installation area.

You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on Samsung Galaxy devices. Click add to add a configuration.

You can add or edit up to 100 configurations when you save the profile.

Browsers must be closed and opened again to apply the changes.
Even if a user modifies a registered bookmark or registers a bookmark with the same URL and name, it is not deleted when the bookmark setting is deleted.
Even if a user manually deletes the set bookmark, due to the limitations of Samsung devices, the application may still appear to be installed. In this case, you have to delete the bookmark in the profile, and then recreate the bookmark.
The auto-installation of Bookmark settings is supported on devices running Android 6 Marshmallow or Android 7 Nougat, and only when BookMark is chosen in the Installation area.

Policy	Description
Configuration ID	Assign a unique ID for each bookmark setting.
Description	Enter a description for each bookmark setting.
Installation area	Specifies a location to install the bookmark. BookMark — Saves a bookmark in the S browser. Shortcut — Creates a shortcut for the bookmarked address on the home screen of the device. Shortcut icons are created based on the Samsung Launcher. If a Shortcut was selected, auto installation is not supported. Shortcut icons may not be able to be created depending on the type of launcher set by the user. An administrator cannot delete the shortcut icon, but the user can delete it manually.
Bookmark page URL	Enter a website address to go to when a bookmark is selected.
Bookmark name	Enter the bookmark name to be displayed as a title in the bookmark.

APN

Configures the APN (Access Point Name) settings.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Enter an APN name to be displayed on the device.
Description	Enter a description for an APN.
Remove available	Allows users to delete APN settings. If you choose Disallow, then the button used to delete APN settings is disabled.
Access Point Name (APN)	Enter the name of the access point.
Access Point Type	Select the type of the access point. Default — default type. MMS — Multimedia Messaging Service. Supl — IP-based protocol to receive GPS satellite signals.
Mobile Country Code (MCC)	Enter the country code for the APN.
Mobile Network Code (MNC)	Enter the carrier network code for the APN.
MMS Server (MMSC)	Enter the server information for sending multimedia messages. MMS Proxy Server — Enter the information of the proxy server for sending multimedia messages. MMS Proxy Server Port — Enter the port number of the proxy server for sending multimedia messages.
Server	Enter the WAP gateway server name.
Proxy Server	Enter the information of the proxy server.
Proxy Server Port	Enter the port number of the proxy server.
Access Point User Name	Enter the user name of the access point. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Access Point Password	Enter the password of the access point. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Authentication Method	Select an authentication method. None — Disables authentication. PAP — Requires a user name and password for authentication. CHAP — Uses encryption with a Challenge string for authentication. PAP or CHAP — Uses the PAP or CHAP authentication method.
Set as Preferred APN	Applies APN settings to the device.

Knox VPN

Configures a VPN (Virtual Private Network) on Samsung Galaxy devices.

Knox VPN settings are provided to help you set up a VPN on a Samsung Galaxy device more easily. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

When Knox Workspace is used on an Android Legacy device, only one Knox VPN can be set on a device regardless of the Knox Workspace area or general area. If the Knox VPN vendor is Cisco, then it can be installed in both areas. To use a Knox VPN on both areas, you need to install the vendor’s VPN Client application in each area.

Policy	Description
Configuration ID	Assign a unique ID for the Knox VPN setting.
VPN name	Enter a VPN name to display on the user device.
Description	Enter a description for the Knox VPN setting.
Remove available	Allows users to delete the Knox VPN settings.
VPN vendor name	Select a VPN vendor from between Cisco and User defined. Input fields vary depending on the selected VPN vendor name. Select User defined to set up a different vendor's VPN service, such as the Sectra mobile VPN.
VPN client vendor package name	Entered automatically according to the selected VPN vendor name. If User defined is selected, you must manually enter this protocol.
VPN type	Select a protocol.
Entering methods for Knox VPN	Select an entering method for Knox VPN information. Manual Input — Only allowed for Cisco. For more information, see Configuring a Knox VPN profile manually. Upload profile — Allowed for all VPN vendors. Input fields vary depending on the selected VPN vendor and the entering method.
Upload Knox VPN profile	Allows uploading a Knox VPN profile when you set Entering methods for Knox VPN to Upload profile. You can upload a text file in the JSON format. JSON varies depending on the VPN vendor and VPN type. For more information about sample files, see the sample file of a Sectra Mobile VPN configuration in Entering a VPN vendor manually and see the sample file of Cisco VPN configuration in Sample file for uploading a Knox VPN profile.
User certificate input method	Select an input method for entering certificate information. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.
CA Certificate	Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Knox VPN and the Type set as Root shows on the list.
Server certificate	Select a certificate to use from the certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as Knox VPN and the Type set as User shows on the list.
FIPS mode	Allows the use of FIPS mode. FIPS (US Federal Information Processing Standards) encrypts all data with FIPS-140-2 authentication modules between the server and client.
Auto Re-connection	Allows connecting automatically when an error occurs.
VPN route type by application	Select to use a VPN for selected applications or for all applications in the General area. By Application — Click Add next to The VPN applied package name per app and select applications, and then click Save. All packages of general area — All applications in the General area are subject to a VPN.

Entering a VPN vendor manually

To use a VPN provided by a vendor other than Cisco, select User defined in the VPN vendor name field. Then upload a text profile in the JSON format. You must install the VPN Client on the device before using a VPN.

For example, when a Sectra VPN is used, set the options as follows:

Enter com.sectra.mobilevpn in the VPN client vendor package name field.
Set VPN type to SSL.
Click Add next to Upload Knox VPN profile and upload a configuration file with the Sectra Mobile VPN configuration parameters set.
- Upload a file in the JSON format to fully integrate the Sectra Mobile VPN on the Knox Manage console.
- Set the parameters as shown in the example below.

Parameter	Description	Example
profileName	The name of the VPN configuration profile that is listed on the Knox Manage application and the VPN client GUI.	Sectra Mobile VPN
servers	A list of 1–6 VPN servers with IP addresses and a network port. This list is in an order of priority, with the default VPN server being the first on the list. The remaining VPN servers are used only if the default server is damaged.	[ {"address":"1.1.1.1","port":443}, {"address":"2.2.2.2", "port":444}, {"address":"3.3.3.3", "port":445} ]
pkcx12BaseUrl	A download server's HTTP/S URL, where the encrypted key materials are downloaded to.	http://download.server.com/certs/
mtuSize	The MTU (Magnetic Tape Unit) is a size used on Knox Manage's virtual network interface. It is the maximum size for the outgoing UDP (User Datagram Protocol) tunnel packets before being fragmented The value must be between 576–1500 bytes.	1300
UseDtle	Determines whether a DTLS tunnel is used. A DTLS tunnel should be used if sensitive data is being transmitted in real-time. For example, when streaming video and/or using VoIP calls. The value must be either True or False. If unsure, set to True.	True
diffServe	Tunnel packets' Quality of Service (QoS) tag sent from a client. Differentiated service is part of an IP header. The value must be between 0–63. 0 means disabled.	0
tcpKeepAlive	Timer value for the interval of a KeepAlive packet sent from a TCP tunnel. The value must be between 1–18000. Sectra recommends to set this value as 1200 seconds since is compatible with most mobile networks. The timer value is an important parameter and you must exercise caution when selecting it.	1200
dtlsInactivityTimeout	The timer value for the standby period of a DTLS tunnel that determines how long it idles without receiving any data before it goes inactive. The value must be between 1–300 seconds. Sectra does not recommend setting this value to 300 seconds.	30
trafficProfiles	1–3 traffic profiles the users can choose, for when a normal configuration is not sufficient. Traffic profiles can change the following configuration parameters: mtuSize, useDtls, diffServ, tcpKeepAlive and/or dtlsInactivityTimeout. The traffic profile also requires the name of the profile which is shown in the client GUI.	[ {"profileName":"BadNetworkProfile","mtuSize":800, "tcpKeepAlive":600}, {"profileName":"RealTimeProfile","mtuSize":1500, "useDtls":"true", "diffServ":63} ]

Sample file for uploading a Knox VPN profile

The following is a sample file of a Sectra Mobile VPN configuration:

    {
        "KNOX_VPN_PARAMETERS": {
            "profile_attribute": {
                "profileName":"Sectra Mobile VPN",
                "vpn_type":"ssl",
                "vpn_route_type":1
            },
            "knox": {
                "connectionType":"keepon"
            },
            "vendor": {
                "connection": {
                    "servers": [
                        {
                            "address":"1.1.1.1",
                            "port":443
                        },
                        {
                            "address":"2.2.2.2",
                            "port":444
                        },
                        {
                            "address":"3.3.3.3",
                            "port":555
                        }
                    ],
                    "ssl": {
                        "basic": {
                            "pkcs12BaseUrl":"http://download.server.com/certs/",
                            "mtuSize":1300,
                            "useDtls":true,
                            "diffServ":0,
                            "tcpKeepalive":1200,
                            "dtlsInactivityTimeout":30
                        }
                    }
                },
                "trafficProfiles": [
                    {
                        "profileName": "BadNetworkProfile",
                        "mtuSize":800,"tcpKeepAlive":600
                    },
                    {
                        "profileName":"RealTimeProfile",
                        "mtuSize":1500,
                        "useDtls":"true",
                        "diffServ":63
                    }
                ]
            }
        }
    }

Configuring a Knox VPN profile manually

You can manually enter a profile only when the VPN vendor is Cisco. Select Manual Input in the Entering method for Knox VPN field. Then set the options as follows:

Enter the IP address, host name, or URL of the VPN server in the Server address.
- The VPN route type, which enables the use of VPN tunneling, is automatically entered.
Select to use user authentication.
Select a VPN connection type.
- Keep On — Keep the VPN connection acitve.
- On Demand 0151Connect to the VPN upon request.
Select the chaining type.
Select to use the UID PID.

Sample file for uploading a Knox VPN profile

The following is a sample file with Cisco as the VPN vendor and IPSec as the VPN type:

    {
        "KNOX_VPN_PARAMETERS": {
            "profile_attribute": {
                "profileName":"c1",
                "host":"12.3.456.78",
                "isUserAuthEnabled":true,
                "vpn_type":"ipsec",
                "vpn_route_type":1
            },
            "ipsec": {
                "basic": {
                    "username":"",
                    "password":"",
                    "authentication_type":1,
                    "psk":"",
                    "ikeVersion":1,
                    "dhGroup":0,
                    "p1Mode":2,
                    "identity_type":0,
                    "identity":"test@sta.com",
                    "splitTunnelType":0,
                    "forwardRoutes": [
                        {"route":""}
                    ]
                },
                "advanced": {
                    "mobikeEnabled":false,
                    "pfs":true,
                    "ike_lifetime":"10",
                    "ipsec_lifetime":"25",
                    "deadPeerDetect":true
                },
                "algorithms": {
                }
            },
            "knox": {
                "connectionType":"keepon",
                "chaining_enabled":"-1",
                "uidpid_search_enabled":"0"
            },
            "vendor": {
                "setCertCommonName":"space",
                "SetCertHash":"pluto",
                "certAuthMode":"Automatic"
            }
        }
    }

The following is a sample file with Cisco, as the VPN vendor, and SSL, as the VPN type:

    {
        "KNOX_VPN_PARAMETERS": {
            "profile_attribute": {
                "profileName":"c3",
                "host":"cisco-asa.gnawks.com",
                "isUserAuthEnabled":true,
                "vpn_type":"ssl",
                "vpn_route_type":1
            },
            "ssl": {
                "basic": {
                    "username":"demo",
                    "password":"samsung",
                    "authentication_type":1,
                    "splitTunnelType":0,
                    "forwardRoutes": [{
                        "route":""
                    }]},
                    "algorithms": {
                        "ssl_algorithm":0
                    }
            },
            "knox": {
                "connectionType":"keepon",
                "chaining_enabled":"-1",
                "uidpid_search_enabled":"0"
            },
            "vendor": {
            "setCertCommonName":"space",
            "SetCertHash":"pluto",
            "certAuthMode":"Automatic"
            }
        }
    }

VPN

Configures a VPN (Virtual Private Network) on Android devices.

You can configure the VPN settings to connect to a private network through a public network. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for the VPN setting.
VPN Name	Enter a VPN name to display on the user device.
Description	Enter a description for the VPN setting.
Remove available	Allows users to delete the VPN settings.
Connection type	Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type. PPTP — Set if PPP should be encrypted (MPPE). L2TP/IPSec PSK — Enter parameters in the L2TP Secret Key, IPSec Identifier, and IPSec Pre-shared Key fields. L2TP/IPSec RSA, IPSec Xauth RSA, IPSec Hybrid RSA — Select a root certificate from IPSec CA Certificates. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as VPN and the Type set as Root are included on the list. IPSec Xauth PSK — Enter parameters in the IPSec Identifier and IPSec Pre-shared Key fields.
Server address	Enter the IP address, host name, or URL of the VPN server that the device needs to access.
User information input method	Select an input method for entering user information. Manual Input — Enter the user ID and Password for the VPN connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. Connector interworking — Choose a connector from the User information Connector. All the connectors are listed in Advanced > System Integration > Directory Connector. User Information — Use the user information registered in Knox Manage to access the VPN.
PPP Encryption (MPPE)	Allows to encrypt data for the VPN connection.
DNS search domain	Enter the DNS name.
DNS server	Enter the DNS server address.
Forwarding route	This is automatically entered when Subnet Bits is selected.
Subnet Bits	The value can be set as none or select from /1 to /30.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration	Assign a unique ID for each certificate setting.
Description	Enter a description for each certificate setting.
User certificate input method	Select an input method for entering certificate information. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add external certificates. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Add external certificates.
Certification category	Select a certification category when EMM Management Certificate is selected in User certificate input method, CA certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list. User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as CA Cert and the Type set as User are included on the list.

Is this page helpful?

Android Legacy policies

System

Connectivity

Security

Kiosk

App Restrictions

Location

Browser

Phone

Firewall

Logging

DeX

Wi-Fi

Exchange

Email Account

Bookmark

APN

Knox VPN

Entering a VPN vendor manually

Sample file for uploading a Knox VPN profile

Configuring a Knox VPN profile manually

Sample file for uploading a Knox VPN profile

VPN

Certificate

On this page