Android Management API policies

Enables all cameras.

Values

• Allow (default)
• Disallow

Work Profile on personally-owned device

Work Profile on company-owned device

Allows the device user to take screenshots on the device.

Values

• Allow (default)
• Disallow

Work Profile on personally-owned device

Work Profile on company-owned device

Allows the device user to add certificates on the device.

Values

• Allow
• Disallow

Fully managed device

Work Profile on personally-owned device

Work Profile on company-owned device

Allows the device user to add or remove accounts on the device.

Values

• Allow (default) — The device user can modify all accounts except those specified by the Account Blocklist policy.
• Disallow (Work Profile only) — The device user can't modify any accounts.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies account names that the device user can't modify or remove. Only available if the Account Modification policy is set to Allow.

Values

To add an account, enter the name, then click . To remove an account, click next to it.

Work Profile on personally-owned device

Work Profile on company-owned device

Controls the behavior of system updates on the device.

Values

• Automatic — When a system update is available, it downloads and installs immediately.
• Postpone — When a system update is available, it's delayed for 30 days. If the Freeze Period policy defines any freeze periods, the update also won't install during them.
• Windowed — When a system update is available, it downloads and installs during the next time window in the day, as defined by the Windowed policy.

When this policy is unset, the default system update behavior applies. On typical device setups, this means the device user decides when to download and install updates.

Specifies a time range during the day when system updates are permitted. Only available if the System Update policy is set to Windowed.

Values

Enter a start and end time for the update window, in 24-hour time format.

Specifies one or more date ranges during which system updates are postponed. When the device's system time is within a freeze period, all incoming system updates, including security patches, are blocked. Only available if the System Update policy is set to Postpone or Windowed.

Values

A freeze period can be a maximum of 90 days long, and there must be a 60-day gap between each period. Freeze periods can't overlap.

To add a freeze period, enter a month and day for the Start Date, enter a month and day for the End Date, then click .

To delete a freeze period, click next to it.

Allows the device user to mount physical media and media devices.

Values

• Allow (default)
• Disallow

Specifies the custom message on the lock screen.

Values

Enter the message in the text field. The message can be up to 4096 characters long. Click Lookup to browse and select available lookup items to add to the message.

Allows the device user to enable and use developer options and safe boot.

Values

• Allow
• Disallow (default)

Allows the device user to configure settings related to mobile network and data.

Values

• Allow (default)
• Disallow

Allows the device user to configure settings related to portable hotspot mode and tethering.

Values

• Allow (default)
• Disallow

Allows the device user to configure settings related to Wi-Fi access points.

Values

• Allow (default)
• Disallow

Enables connecting to Bluetooth devices.

Values

• Allow (default) — Enables Bluetooth.
• Disable On — Disables Bluetooth.

Allows the device user to configure settings related to Bluetooth.

Values

• Allow (default)
• Disallow

Enables transferring files over a USB connection.

Values

• Allow (default)
• Disallow

Allows device verification and data security using the Play Integrity API.

Values

• Apply

Fully Managed

Work Profile on personally-owned device

Work Profile on company-owned device

Select a measure.

Values

• Unenrollment (Factory Reset) (for DO only) — Unenrolls the device and performs a factory reset.
• Unenrollment (for PO only) — Unenrolls the device.

Select a measure.

Values

• Unenrollment (Factory Reset) (for DO only) — Unenrolls the device and performs a factory reset.
• Unenrollment (for PO only) — Unenrolls the device.

Specifies how long the device can idle before the screen locks.

Values

• 15 sec
• 30 sec
• 1 min
• 2 min
• 5 min
• 10 min

If this value is not set, then the screen lock timeout falls back to the duration specified in the device settings.

Applies and enforces password rules and restrictions.

Values

• Apply

If this value is unset, then the password has no restrictions.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum strength or complexity of the device's lock. Only available if the Password policy is set to Apply.

Values

For Android 11 and lower devices, choose a minimum strength level for the lock. Each strength level uses a lock type with minimum strength requirements. For PINs and passwords, you can specify the minimum length. The strength levels are:

• Weak Biometric — A biometric recognition method.
• Pattern — A pattern.
• Numeric — A PIN.
• Numeric Complex — A pin with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
• Alphabetic — A password with letter characters.
• Alphanumeric — A password with alphanumeric characters.
• Complex — A password with alphanumeric and special characters.

For the primary profile on Android 12 and higher devices, choose a complexity level for the lock. Each complexity level uses a lock type with escalating pre-defined restrictions. The device user can't set a lock that's less complex than the chosen level. You must also define all additional minimum restrictions of the complexity by setting every password sub-policy, such as Minimum Number of Letters and so on. The complexity levels are:

• Complexity Low — A pattern or PIN, with repeating (4444) and ordered (1234, 4321, 2468) sequences allowed.
• Complexity Medium — A PIN without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 4 or more characters.
• Complexity High — A PIN with 8 or more characters, without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 6 or more characters.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum number of points (in the case of a pattern) or characters (in the case of a PIN or password) required in the lock. Only available if the Password Quality policy is set to PIN, Numeric Complex, Alphabetic, Alphanumeric, Complex, Complexity Low, Complexity Medium, or Complexity High.

Values

Enter a minimum length. The value can be 4–16.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum number of letters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of letters. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum number of non-letter characters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of non-letters. The value can be 2–10.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum number of lowercase letters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of lowercase letters. The value can be 3–10.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum number of uppercase letters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of uppercase letters. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum number of digits required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of digits. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum number of special characters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of special characters. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies rules about how the lock changes over time, such as user changes to the lock, expiration, and minimum unlock parameters. Automatically enabled if the Password Quality policy is set.

Values

• Apply (automatic) — Enables password lifecycle settings. If the Password Quality policy is set, then this value is automatically selected.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the minimum number of new locks that must be used before the device user can reuse a previous lock.

For example, if the lock is the password Knox123! and this policy is set to 10, the user must use ten other passwords before they can reuse Knox123!.

Values

Enter the minimum number of new locks before reuse is allowed. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the number of days before the lock must be reset.

Values

Enter a number of days. The value can be 0–365.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies the maximum number of incorrect unlock attempts before access is restricted.

Values

Enter the number of acceptable number of failed unlocks. The value can be 0–10.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies how long, in days, that a lock can violate the restrictions set by the Password Quality policy before the device user is blocked from accessing the device or Work Profile.

Values

Enter the number of days before the device blocks the user. The minimum value is 0. If set to 0, then the device user is immediately blocked. Must be less than the value of the Wipe After Days policy.

If this value is unset, then the device user isn't blocked for violating the lock restrictions.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies how long, in days, that a lock can violate the restrictions set by the Password Quality policy before the device is remotely wiped.

Values

Enter the number of days before the device blocks the user. The minimum value is 1. Must be greater than the value of the Block After Days policy.

If this value is unset, then the device user isn't blocked for violating the lock restrictions.

Work Profile on personally-owned device

Work Profile on company-owned device

Blocks device features and functionality are blocked when the screen is locked. This policy doesn't take effect until after a lock is set on the device.

Values

• Apply

If this value is unset, then KeyGuard is disabled.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies which device features and functionality are disabled when KeyGuard is enabled. Only available if the Keyguard policy is set to Apply.

Values

Select the features and functionality to disable:

• Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added.
• Fingerprint — Blocks screen unlock through fingerprint scanning.
• Previews in Pop-ups — Hides content in app notifications on the lock screen.
• Face — Blocks screen unlock through face scanning.
• Biometric — Blocks screen unlock through iris scanning.

Work Profile on personally-owned device

Work Profile on company-owned device

Determines how to restrict apps on Google Play. In order to restrict an app, it must have a profile in the Knox Manage tenant.

Values

• Allowlist — Defines an allowlist that specifies all the apps that the device user can install. If an app isn't specified, the user can't install it from Google Play.
• Blocklist — Defines a blocklist that specifies which apps the device user can't install. If an app is specified, the user can't install it from Google Play. All other apps on Google Play can be installed.

If this value is not set, then no apps are restricted on Google Play.

Defines the allowlist or blocklist to restrict apps based on the value of the Play Store Mode policy. Only available if the Play Store Mode policy is set.

Values

Add apps to include or exclude. If the Play Store Mode policy is set to Allowlist, then this list defines an exclusive list of allowed apps. If that policy is set to Blocklist, then this list only defines apps that aren't allowed.

To add one or more apps:

1. Click Add. The Select Application dialog opens.
2. Select one or more apps, then click OK.

To remove an app, next to it.

Allows the device user to install apps from unknown sources.

Values

• Allow Install Device Wide — The device user can install untrusted apps to the primary and Work Profile.
• Allow Install In Personal Profile Only — The device user can install untrusted apps on the primary profile.
• Disallow Install (default) — The device user can't install untrusted apps.

Work Profile on personally-owned device

Work Profile on company-owned device

Instructs apps to skip any first-time user tutorials and hints, when available.

Values

• Allow — User tutorials and hints are hidden.
• Disallow (default) — User tutorials and hints show on first use.

Work Profile on personally-owned device

Work Profile on company-owned device

Allows the device user to install apps.

Values

• Allow (default)
• Disallow

Work Profile on personally-owned device

Work Profile on company-owned device

Allows the device user to remove apps.

Values

• Allow (default)
• Disallow

Work Profile on personally-owned device

Work Profile on company-owned device

Controls the use of Google Play Protect on the device.

Values

• User Choice — The device user can enable and disable Google Play Protect.
• Enforced — Enables Google Play Protect, and the user can't disable it.

Work Profile on personally-owned device

Work Profile on company-owned device

Controls how permissions are granted to apps.

Values

• Grant — Automatically grants all requested permissions to apps. On Android 12 and higher devices, the camera, microphone, and location permissions can't be automatically granted without user consent.
• Deny — Automatically denies all requested permissions to apps.
• Prompt (default) — The app prompts the device user to grant or deny permissions.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies a list of apps that are exempt from the permission behavior defined by the App Permission policy. Only available if the App Permission policy is set.

Values

To add one or more apps:

1. Click Add. The Select Application dialog opens.
2. Select one or more apps, then click OK.

To remove an app, click next to it.

Work Profile on personally-owned device

Work Profile on company-owned device

Enables delegated scopes for apps, which is a device policy controller function that grants elevated API and policy control to an app. An app with delegated scopes can dictate policies and configuration settings to other apps.application-app-delegation-scope

Values

• Apply — Enables delegation scopes.

If this value is unset, then delegation scopes are disabled.

Work Profile on personally-owned device

Work Profile on company-owned device

Configures delegated scopes for apps. Each configuration targets an app with a profile in the Knox Manage tenant and assigns scopes to it. You can only manage one delegation configuration per app. Only available if the App Delegation Scope Management policy is set to Apply.

Values

To assign delegated scopes to an app:

1. Click Select , then choose an app from the list in the Select Application window.
   • To add a system app, click Add Control Applicationto select it o Bulk Addto specify a list of them with an XLS file.
2. Select scopes to assign to the app from the Delegation Scopes list.
3. Click to add the configuration.

The available scopes are:

• Management of uninstalled packages
• Installing existing packages
• Selection of key chain certificates
• Certificate installation and management
• Managed configurations management
• Blocking uninstallation
• Permission policy and permission grant state
• Package access state
• Enabling system apps

To remove the delegated scopes for an app:

• Click next to the configuration.

Work Profile on personally-owned device

Work Profile on company-owned device

Allows apps to communicate across device profiles. For example, if the same calculator app were simultaneously installed on the device's personal profile and Work Profile, then both instances of the app could share data. This data sharing requires consent from the device user.

Values

• Allowlist — A list defined by the App List policy specifies which apps can communicate between profiles.

If this value is unset, then app connections are disabled.

Work Profile on personally-owned device

Work Profile on company-owned device

Specifies an allowlist of apps that can connect across device profiles. Only available if the Work and Personal Apps Connection policy is set to Allowlist.

Values

To add one or more apps:

1. Click Add. The Select Application dialog opens.
2. Select one or more apps, then click OK.

To remove an app, click next to it.

Work Profile on personally-owned device

Work Profile on company-owned device

Controls location data gathering on the device.

Values

• User Choice — Allows the device user to choose location data preferences.
• Enforced — Forces location data gathering.
• Disable — Blocks location data gathering.

Work Profile on personally-owned device

Work Profile on company-owned device

Enables the reception of Cell Broadcast messages on the device. Carriers use these messages to broadcast public warnings and emergencies to device users across entire regions, so you should exercise caution before disabling this technology.

Values

• Allow (default)
• Disallow

Allows the device user to mute the microphone and adjust its input level.

Values

• Allow
• Disallow

Allows the user to make outgoing phone calls.

Values

• Allow (default)
• Disallow

Allows the user to send and receive messages through SMS.

Values

• Allow (default)
• Disallow

Enables data roaming on the device.

Values

• Allow (default)
• Disallow

Allows the device user to copy and paste data between the personal profile and Work Profile.

Values

• Allow
• Disallow (default)

Work Profile on personally-owned device

Work Profile on company-owned device

Allows IT admins to set a custom message to warn the user when the data on the Work profile is wiped.

Values

• Apply — Use the Message pane to specify the notification message shown on the device.

Specifies the maximum duration, in days, that the device user can pause the Work Profile before their access is suspended. If the profile is paused for longer than this duration, all personal apps except for critical system apps (Phone, Messages, Google Play) are suspended and hidden. Work Profile apps are unaffected.

Values

Enter a pause timeout, in days. The value can be 3–30.

If this value is unset, then there is no maximum duration.

Work Profile on personally-owned device

Work Profile on company-owned device

Enables factory reset protection. When this security measure is enabled, if the device undergoes a factory reset it can't be reactivated without the previous user's Google Account.

Values

• Allow — Enables factory reset protection fo all devices that use this profile.
• Disallow (default) — Disables factory reset protection.

To enable factory reset protection:

1. Set this value to Allow.

2. For the the Google Account ID field, enter the email address of Google Account that will protect the devices that use this profile. This account must be appropriate for use by support providers.

   Caution

   As this account email and password might be shared with support providers, do not use your Google Account associated with Android Enterprise.

3. Click Go to Google API Webpage to generate user ID. The people.get operation page from Google's People API reference opens.
4. If you haven't already, sign in to the Google Account you specified earlier.

5. In the Try this method dialog, enter:

   • resourceNamefield — people/me
   • personalFieldsfield — metadata

6. Click EXECUTE.

   • You might be prompted to grant permission for the Google APIs Explorer to access the Google Account. If so, click Allowto grant all access.

   A 200 OK message shows, which contains the account's detailed information as JSON values.

7. Copy the value of the "ID" field in the message.
8. Back on the Knox Manage console, paste the copied ID value in the Google User ID field.
9. Click .

Assigns the name of the Wi-Fi configuration.

Values

Enter a name. The name must be unique among Wi-Fi configurations.

Adds a text description of the configuration for other admins.

Values

Enter a description.

Enter the SSID of the target Wi-Fi access point.

Values

Enter an SSID.

Hides the access point from the list of Wi-Fi networks on the device.

Values

• Allow
• Disallow (default)

Specifies the Wi-Fi security protocol and authentication scheme of the access point.

Values

• WEP-PSK
• WPA-PSK
• WPA-EAP

Specifies the password of the target Wi-Fi access point. Only available if the Security Type configuration setting is set to WEP-PSK or WPA-PSK.

Values

Enter a password.

Specifies the outer EAP authentication method. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

• PEAP
• EAP-FAST
• EAP-TLS
• EAP-TTLS

Specifies the inner, tunneled EAP authentication method. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

• PAP
• MSCHAP
• MSCHAPv2

Specifies how the user information and credentials are delivered. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

• Manual Input
• Connector Interworking
• User Information

Specifies the user name to submit during authentication. Only available if the Security Type configuration setting is set to WPA-EAP and the User Information Input Method configuration setting is set to Manual Input.

Values

Enter a user name. Click Lookup to browse and select available lookup items to add to the name.

Specifies the password to submit during authentication. Only available if theSecurity Type configuration setting is set to WPA-EAP and the User Information Input Method configuration setting is set to Manual Input.

Values

Enter a password.

Specifies the directory connector to employ for the user. To learn more about directory connectors in Knox Manage, see Connect to AD/LDAP. Only available if the Security Type configuration setting is set to WPA-EAP and the User Information Input Method configuration setting is set to Connector Interworking.

Values

Select a connector from the list.

Specifies an anonymous ID for the user. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

Enter a name

Specifies the confirmation method for the user certificate. Register an external certificate for each network configuration, and then verify each network configuration using that certificate. All users share this one certificate for each network configuration. Go to Advanced > Certificate > External Certificate to register network settings for each purpose. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

• EMM Management Certificate (default)

Specifies the certificate to apply for the user. The user certificate (P12 or PFX file) corresponding to the obtained user information is applied along with a profile to verify the user. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

Select a certificate from the list.

Specifies the root certificate to apply. The available certificates are those registered in Advanced > Certificate > External Certificate with the Purpose set to Wi-Fi and the Type set to Root. For more information on how to add an external certificate, see External certificates. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

Select a certificate from the list.